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The formal system X5 is a typed A-calculus that pursues the unification of terms, types, environ- 
ments and contexts as the main goal. X5 takes some features from the Automath-related A-calculi 
and some from the pure type systems, but differs from both in that it does not include the 11 
construction while it provides for an abbreviation mechanism at the level of terms. A<5 enjoys 
some important desirable properties such as the confluence of reduction, the correctness of types, 
the uniqueness of types up to conversion, the subject reduction of the type assignment, the strong 
normalization of the typed terms and, as a corollary, the decidability of type inference problem. 
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1. INTRODUCTION 



The leading goal at the root of the present work is the design of a typed A-calculus, 
to be used as a logical framework, featuring the unification of terms, types and en- 
vironments (with the terminology of [S0rensen and Urzyczyn 2006]) while enjoying 
a desirable mcta-theory in the sense of [Barendregt 1993]. In principle we pursue 
this unification, whose benefits we discuss in Subsection 1.1, by defining a suitable 
set of expressions that can be terms, types and environments at the same time. 

The purpose of this paper is to report on our first attempt to realize such a 
calculus. In Subsection 1.2 we summarize our starting points and our achievements. 

In Subsection 1.3 we briefly introduce the digital specification of our calculus and 
of its theory inside the Calculus of Inductive Constructions (CIC) [Guidi 2007a]. 
This specification has been checked by two CIC-based proof assistants. 

The calculus is defined in Section 2 where the syntax, the reduction rules and the 
type assignment rules are given. Our main theorems on the calculus are presented 
in Section 3. In Section 4 we extend our calculus by adding an "exclusion" binder, 
which we show an application of. The concluding remarks are in Section 5. 

This paper includes four appendices: in Appendix A we show an application of 
our calculus as a theory of expressions for the structural fragment of the Minimal 



Permission to make digital/hard copy of all or part of this material without fee for personal 
or classroom use provided that the copies are not made or distributed for profit or commercial 
advantage, the ACM copyright/server notice, the title of the publication, and its date appear, and 
notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, 
to post on servers, or to redistribute to lists requires prior specific permission and/or a fee. 
© 20YY ACM 1529-3785/20YY/0700-0001 $5.00 

ACM Transactions on Computational Logic, Vol. V, No. N, Month 20YY, Pages 1-44. 



2 • Ferruccio Guidi 



Type Theory [Maietti and Sainbin 2005], while in Appendix B the author pro- 
poses to push the calculus in the direction of the "environments as terms as types" 
paradigm imtil the unification of these three concepts is reached. 

In Appendix C we report on the differences between the version of the calculus 
in front of the reader and its initial version [Guidi 2006]. 

In Appendix D we give the pointers to the digital version of our results. 

1.1 Background and Motivations 

Untyped A-calc\ilus [Church 1941] was introduced by Church as a theory of com- 
putable functions. Adding a very simple type theory to this calculus, where types 
are never created by abstraction. Curry obtained a version of the simply typed 
A-calculus (a different version of A^ was proposed by Church afterwords). 

Typing by abstraction was introduced in the second half of the past century in 
response to the need of improving the expressiveness of the above type theory, and 
this gave rise to many A-calculi typed more powerfully. The type of a term is always 
assigned in an environment, that is a structure holding the type information on the 
free variables that may occur in that term [S0rensen and Urzyczyn 2006] . 

An historical survey on type theory can be found in [Kamareddine et al. 2004]. 

In some theories a type can be treated as a term and can be given a type, which is 
usually termed a kind. Nevertheless many calculi, especially those of the Pure Type 
Systems (PTS) tradition [Barendregt 1993], provide for constructions that build 
types, or kinds, but not terms. This is the case of the so-called 11 construction. 
Moreover terms and environments usually belong to distinct syntactical categories. 

One reason for having different constructions for terms and types lays in the 
so-called "Propositions As Types and Proof As Terms" (PAT) interpretation [Ka- 
mareddine et al. 2004] (also known as the Curry-Howard isomorphism) and in the 
general consensus that propositions and proofs have a significantly different struc- 
ture. We recall that according to the PAT interpretation, a typed A-calculus can 
serve as a logical framework where a proposition is encoded in a type whose inhab- 
itants encode the proofs of that proposition. 

On the other hand there are scenarios in which one wants to encode a proposition 
in a term or a proof in a type. We call this situation: the reverse PAT interpretation. 

— The Automath experience. 

Historically the embedding of logic inside A-calculus does not always follow the 
PAT interpretation. This is the case of Aut — 68 [van Benthem Jutting 1994b]: 
a language of the Automath family [de Bruijn 1994c] that is very close to a 
A-calculus. This language has only one kind, named type, and this forces the 
embedding of logic clearly shown in [de Bruijn 1994a], which is used throughout 
the formal specification of Landau's Grundlagen [van Benthem Jutting 1994a]. 
Wc summarize the situation in Figure 1 . In Aut — 68 the proofs of a proposi- 
tion do not inhabit the proposition directly, as in the PAT interpretation, but 
they inhabit the "assertion type" associated to the proposition. In this way a 
proposition diff'ers from the type of its proofs. 

— The realizability tradition. 

One of the basic ideas behind type theory is that terms encode some entities (for 
instance computable functions, computer programs, propositions, proofs) and 
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Fig. 1. Different embeddings of logic in type theory 

these entities satisfy a desired property if the corresponding terms are typable. 
In this respect there are type systems set up to capture some properties of propo- 
sitions. For instance in the computer program verification scenario one can state 
that a proposition is admissible if it the specification of a program (this idea is 
taken from the realizability tradition [Kleene 1945], where the admissible formu- 
lae are those having a realizer, i.e. an implementation). In this perspective one 
may want to encode the propositions in the terms and their realizers or imple- 
mentations in the types. This is the case of PML [Raffalh 2007a; 2007b; 2008]: an 
experimental programming language with program verification support. Notice 
that in PML the standard PAT interpretation is also allowed. 

The above considerations lead to think that a type theory intended as a logical 
framework is more flexible if it supports both PAT interpretations at the same time 
instead of supporting just one of them (either the standard one or the inverse one). 

This result is achieved by designing the type theory in such a way that both 
terms and types are capable of encoding either a proof or a proposition. 

The simplest way to obtain this feature is by allowing on one hand the term 
constructions at the level of types and on the other hand the type constructions at 
the level of terms. By so doing, we are naturally led to unify terms and types. 

It is worth remarking that this unification already appears to some extent in a 
number of works including [de Bruijn 1994c; Nederpelt 1994; de Vrijer 1994; van 
Benthcm Jutting 1994c; Coquand 1985; Kamareddinc 2005]. 

Coming now to the treatment of environments, there are well established motiva- 
tions for allowing these structures to contain not just declarations, but abbreviations 
(i.e. non-recursive definitions) as well. We mention the following ones. 

— Practically unavoidable. 

Abbreviations allow to factorize large terms increasing their readability. It is a 
matter of fact that Mathematics is unimaginable without abbreviations and for 
this reason every type theory designed as a realistic foundation for developing 
Mathematics includes some kind of abbreviation mechanism. Taking three very 
different examples of such theories, we can mention the Automath languages 
[de Bruijn 1994c], Constructive Type Theory [Nordstrom et al. 1990] and the 
Calculus of Inductive Constructions [Coquand and Paulin-Mohring 1990]. 
— Efficient reduction. 

Abbreviations allow to write the /3-contraction in the call-by-name style [Curien 
and Herbehn 2000] ^^{Xx:W.t){v) -^f} let a; = w in t" with the effect of delaying 
the substitution of v in t. This feature is a crucial ingredient of optimal r(xluction 
strategies [Asperti and Guerrini 1999] and is exploited in real reduction machines. 

Very convenient extensions of well established calculi by means of abbreviations 
are presented in [Kamareddine et al. 1999; Curien and Herbelin 2000]. 
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Once environments are equipped with abbreviations, we see motivations for pur- 
suing a full duality between environments and terms. 

— Aggregates without inductive types. Aggregate data structures, or aggre- 
gates for short, play a central role both in programming languages (where they 
appear as records, modules or objects) and in Mathematics (where they appear as 
mathematical structures). The type theories featuring aggregates as terms usu- 
ally exploit inductive types for this purpose, but the machinery for supporting 
inductive types is too complex if one is only interested in supporting aggregates 
[de Bruijn 1991], especially if dependent types are allowed. On the other hand 
every type theory has some support for environments and an environment with 
abbreviations can serve as an aggregate with dependent components. In this re- 
spect we conjecture that supporting environments as terms is much simpler than 
supporting inductive types for the only purpose of having aggregates as terms. 

— The A/U tradition. Beside terms, types and environments, the A-calculi for the 
PAT interpretation of classical logic derived from Xfj, [S0rensen and Urzyczyn 
2006] include structures called "contexts" that play the role of continuations in 
functional programming. The most general of these calculi, Xjjfi [Curien and 
Herbelin 2000], features abbreviations in contexts (but not in terms) and a du- 
ality between terms and contexts, which yet docs not yield the unification of the 
two. On the other hand we conjecture that contexts can be easily injected into 
environments with abbreviations if these environments are also equipped with 
other constructions usually found in terms (for instance applications). Such ex- 
tended environments become very close to terms themselves and may be realized 
by pursuing a "terms as environments" discipline in the design of the type theory. 

1.2 Outline 

This paper describes a typed A-calculus, that we call A^ after the names of its 

binders, that aims at the unification of terms, types, kinds and environments both 
in a static sense and in a dynamic sense. The static unification lays on the use of a 
suitable set of expressions that can represent terms, types, kinds and environments 
simultaneously Additionally, the dynamic unification lays on allowing the same 
reduction steps on these expressions whatever they represent. 

We are interested in respecting the following desirable constraints: this calculus 
must have a well conceived meta-thcory, which includes the commonly required 
properties and, as a logical framework, must have enough flexibility and expressive 
power to encode a non-trivial fragment of Mathematics in a realistic manner. 

The above considerations imply that the design of XS involves two crucial aspects: 
the choice of the expressions and the choice of the reduction steps allowed on the 
expressions. In this section we want to discuss these aspects and to analyze their 
impact on the capability of our calculus to meet the requirements we have set. 

The set of the expressions. Our approach in this paper is to build expressions 
using a reasonably small set of constructions, which we plan to extend in the future. 

The starting point is the calculus Aqo [van Benthem Jutting 1994c] where a set 
A of expressions is generated by a sort r, variable occurrences, binary applications 
and typed A-abstractions in which the types themselves are expressions in A. 

This is a very basic platform to which we apply the following modifications. 
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Firstly we add untyped abbreviations, like "let x = vint" , following the motivation 
outlined in Subsection 1.1. Secondly we notice that the presence of untyped sorts 
(as T in Aoo or as □ in the A-Cubc [Barcndrcgt 1993]) complicates the mcta-thcory 
unnecessarily because a distinction must be made between the legal expressions 
having a type and the legal expressions not having a type. To overcome this draw- 
back wc use an infinite number of sorts in place of the single sort t and we set 
up a type system (see below) in which every sort is typed. Thirdly we add ex- 
plicit type annotations (also known as "explicit type casts" in some programming 
languages) to obtain another meta-thcorctical benefit: with these constructions we 
easily reduce the type checking problem to the type inference problem. 

The main limitation of the above set of constructions is the absence of the higher- 
order abstraction (i.e. the 11 construction of the shapes (□, *) and (□, □) according 
to Barendregt's classification), which essentially sets the expressive power of X6 to 
that of \P [Barendregt 1993].^ In any case we can assume that this power is enough 
to encode non-trivial parts of Mathematics [van Bcnthem Jutting 1994a]. ^ 

We also set the additional limitation that a variable occurrence is not an envi- 
ronment constructor because the interpretation of an expression like "Aa;:W.a;" as 
an environment is not straight-forward at all (here W stands for an expression). 
However in Appendix B.l we give some hints on how we plan to face this problem. 

As a consequence we use two sets of expressions, one for the terms (that also 
serve as types and kinds) and one for the environments, which is a proper subset of 
the former. This means that X6 realizes the unification of types and terms, which 
is the focus of the calculus, but it does not realize the unification of environments 
and terms yet. Namely environments are just expressions formally generated by 
some term constructors, but X6 has no support for using them as terms. 

It is important to notice that X5 differs from the Automath-related A-calculi 
[Nederpelt et al. 1994] in that they do not provide for an abbreviation construction 
at the level of terms. We also notice that when abbreviations are used, the A- 
abstraction it is not strictly necessary for building a logical framework. This is the 
case of PAL^ [Luo 2003]: a platform where partial applications of functions are 
not allowed. As a matter of fact, partial applications have well established benefits 
in several contexts including practical functional programming, so our choice is 
definitely to include the A-abstraction in our calculus. 

The set of the reduction schemes. The reduction schemes aim at realizing 
deterministic and confluent computations (as the ones of Aoo), so critical pairs are 

avoided for simplicity. Since XS is not focused on achieving the unification of terms 
and environments, its reduction schemes work only on terms and no support is 
given for the reduction of environment constructors. Nevertheless these schemes 
are designed following the principle that they should also work on environments 
when possible. In particular we must be aware that an environment is essentially a 
list of declarations (that we represent with A-abstractions) and abbreviations whose 
position must be preserved when the environment is reduced. 

For this reason we use the call-by-name /3-contraction scheme in place of its 



^Currently wc do not have a proof of this statement, but our conjecture is based on the general 

consensus that Aoo has the expressive power of XP [Barendregt 1993]. 

^We are aware that Aut — QE is a bit more powerful than XP [Kamareddine et al. 2004]. 

ACM Transactions on Computational Logic, Vol. V, No. N, Month 20YY. 



6 • Ferruccio Guidi 



call- by- value version (the one used by Aqo) because the A-abstraction in the re- 
dex becomes an abbreviation in the reductum instead of being deleted. Another 
advantage of the call- by- name /3-rcduction is discussed in Subsection 1.1. 

Moreover we have three reduction schemes working on abbreviations; namely 
a i5-expansion to unfold an abbreviation without removing it, a ^-contraction for 
removing an unreferenced abbreviation (this reduction would not be allowed if the 
abbreviation were an environment constructor) and a v-swap for permuting an 
application-abbreviation pair as in [Curien and Herbelin 2000] . 

Finally we have a r-contraction for removing explicit type annotations. 

Remarkably we do not consider the r^-contraction. This is a choice of many calculi 
including Aoo and the systems of the A-Cube [Barendregt 1993]. 

Also notice that we can obtain a call-by-valuc /3-contraction by concatenating a 
call-by-name /3 contraction, a (5-cxpansion and a (^-contraction. 

The type system. Our aim is to confine the dynamic aspect of the type as- 
signment in the so-called "conversion rule" [Barendregt 1993]. This means that we 
wish to remove any reference to reduction from the other type assignment rules. 
The technical benefit of this approach is that we make clear syntactical distinction 
between the construction steps and the conversion steps needed to infer a type. 

Typed sorts. We have a sequence of sorts h ^ Sort/j (where h ranges over the set 
IKI of the natural numbers) and a function g : N ^ N that we can choose at will as 
long as h < g{h) holds for every h. In this setting Sort/j is typed by Sortg(/i). 

Typed variable occurrences. We exploit the idea that an unreferenced variable 
needs a legal declaration only if it is the formal argument of a function, to combine 
the so-called "start rule" and "weakening rule" [Barendregt 1993] in a simpler rule. 

Typed \- abstractions. We use the policy of Aqo, which is known as A-typing. 
Namely up to conversion, the type of a A-abstraction is a A-abstraction. This 
policy is adopted by many calculi of the Automath family [Nedcrpclt ct al. 1994] 
and by other calculi including [Kamareddine 2005; de Groote 1993; Wiedijk 1999]. 

Typed abbreviations. We use the A-typing pattern with abbreviations in place of 
A-abstractions. This approach yields a uniform typing policy for both binders. 

Typed applications. We use the "compatible" application rule of [Kamareddine 
et al. 1999] with A in place of H, because it does not involve reduction. By so doing, 
we strengthen the so-called "applicability condition"'^ with respect to Aqo, but we 
conjecture that this is a minor drawback. For instance the term t = {xi z) is legal 
in the environment F = {xo '■ Xy.r.y), (xi : xo), (z : r) for Aoo but not for Xd. 

Explicit type annotations. We use a "compatible typing" policy as well. 

The meta-theoretical properties. One of the aims of the present paper is 
to show that the design features of XS we just described are compatible with the 
presence of a desirable meta-theory in the usual sense. The main results are: 

— the reduction is confluent (Church- Rosscr property): Theorem 3(3); 
— the reduction is safe (subject reduction property): Theorem 9(2); 
— the typed terms are strongly normalizing: Theorem 10(2). 



^This is the condition that an application must satisfy in order to be legal or well typed. 
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We also prove other standard properties like the correctness of types, the unique- 
ness of types up to reduction and the decidability of type the inference problem. 

Wc stress that the A-abstraction is predicative in that F h Xx:W.t : W never 
holds. So Xd can serve as a theory of expressions for the type theories requiring 
a meta-language with a predicative abstraction like those in the Marin-L6f style 
[Maietti and Sambin 2005; Nordstrom et al. 1990; Martin-L6f 1984] 

1.3 The Certified Specification 

The initial version of XS appears in [Guidi 2006] where the author outlines the 
definitions used in [Guidi 2007a] to specify an extension of X6 named X'^^ (see 
Section 4) in the Calculus of Inductive Constructions (GIG). Using this encoding 
it is possible to certify all currently proved properties of with the GlC-based 
proof assistants COQ [Goq development team 2007] and matita [Asperti et al. 2006]. 

Following the description of in [van Benthem Jutting 1994c], the GIG spec- 
ification exploits position indexes [dc Bruijn 1994b] rather names to represent the 
bound variable occurrences. However in this paper we will use names. 

Remarkably was born and developed in the digital format of [Guidi 2007a], 
which is not the formal counterpart of some informal material previously written on 
paper (as it happens for most of currently digitalized Mathematics). In particular 
the detailed proofs of the properties of xA5 currently exist only in their digital 
version. Producing a hard copy of these proofs is indeed an interesting challenge 
because it requires the implementation of a suitable technology for the mechanical 
transformation of digital GIG proof terms into human-readable proofs written in 
format.^ Our estimation on the length of the hard copy is: 600 pages. 

In this paper we outline all proofs of our statements by reporting on the proof 
strategy and on the main dependences of each proof. Most proofs are by induction 
on the length of a derivation or by cases on the last step of a derivation. Very 
often both techniques are applied together. This procedure breaks the proof in lot 
of cases which we do not give the details of (because they are very easy). However 
we report on the interesting cases giving some hints on how they are solved. 

In Appendix D we give the pointers to the digital proof objects representing the 
proofs mentioned in the paper. These proof objects are available as resources of 
the Hypcrtextual Electronic Library of Mathematics (helm) [Asperti et al. 2003] . 

In Appendix G we present the main advancements of [Guidi 2007a] at its current 
state over the description given in [Guidi 2006]. 

2. THE DESCRIPTION OF XS 

In this section we will define X5 in terms of its grammar (Subsection 2.1), its reduc- 
tion rules (Subsection 2.3) and its native type assignment rules (Subsection 2.4). 
We will also define some relevant auxiliary notions such as the static type assign- 
ment (Subsection 2.5), the arity assignment (Subsection 2.6) and two preorders on 
environments (Subsection 2.7). Care was taken to order these topics in a way that 
takes the reader to the native type assignment rules as soon as possible. 



^In [Guidi 2007b] we present an effective procedure for transforming a GIG proof term is a sequence 
of basic proof steps. We already implemented this procedure in the proof assistant matita. 
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Xd uses three data types: the set N of the natural numbers, the set T of the 
terms and the set E of the environments. IM is used to represent sort indexes (all 
indexes start at 0), T contains the expressions the calculus is about (also called 
pseudo-terms) and E can be seen as a subclass of T. Although it is not strictly 
necessary, it is convenient to present T and E as two distinct data types. 

In the presentation of XS in front of the reader, the term variables are referenced 
by name and the names for these variables (i.e. x, y, . . .) belong to a data type V. 

Consistently throughout the presentation, we will be using the following conven- 
tion about the names of the meta-variables: i, j, h, k will range over N; T, U, V, 
W will range over T and C, D, E, F will range over E or will denote a part of an 
environment. We use the Latin capital letters for the term meta-variables following 
the untyped A-calculus tradition [Barendregt 1993] and we use these letters also for 
the environment meta-variables, instead of using the standard Greek capital letters, 
because we follow the "environments as terms" policy pursued by XS. 

Lists will also be used (wc need them in Subsection 3.2 to prove the strong 
normalization theorem). The names of variables denoting lists will be over lined: 
like T for a list of terms. We will use o for the empty list and the infix semicolon 
for concatenation: like T ; T. 

In order to avoid the explicit treatment of a-conversion, we will assume that the 
names of the bound variables and of the free variables are disjoint in every term, 
judgement and rule of the calculus (this is known as the "Barendregt convention"). 

2.1 The Language 

Our syntax of terms and environments takes advantage of the so-called item nota- 
tion [Kamareddine and Nederpelt 1996b] because of its well documented benefits. 
When using the item notation of A-terms, the operands of an application are pre- 
sented in reverse order with respect to standard notation, i.e. the application of T 
to V is presented like (T V) in standard notation and like {V).T in item notation. 
This means that a /3-redex takes the form {V).Xx:W.T rather than {Xx:W.T V). 
In this situation the argument V and the abstraction Xx:W are close to each other 
rather than having the body T between them, which can be very long. In this sense 
we believe that this notation, which is almost a constant of the Automath-related 
works [Nederpelt et al. 1994], improves the visual understanding of /3-redexes by 
helping the reader to find the argument-abstraction pairs more easily. 

Definition 1 terms and environments. 

The terms of XS are made of these syntactical items: Sort/, (sort), x (variable 
occurrence), Xx:W (abstractor), Sx<—V (abbreviator) , (V) (applicator) and (W) 
(type annotator). The sets of terms and environments are defined as follows: 

J = Sorty 1 V 1 AV:T.T j ^V^T.T ] (T).T ] (T).T (1) 

E = SortN 1 AV:T.E ] (5V^T.E | (T).E | (T).E (2) 

In the above definition Sort/, is the sort of index h, x is a variable occurrence, 
Xx:W.T is the usual A-abstraction (simply abstraction henceforth) of T over the 
type W, Sx^V.T is the abbreviation of V in T (i.e. let x = V in T), {V).T is 
the application of T to F (i.e. (T V) in standard notation) and {W).T is the type 
annotation of T with W (i.e. (T : W) in ML notation). 
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We remark that type annotations allow to reduce the type checking problem to 
the type inference problem: see Theorem 7(6) and Theorem 8(8). 

We can generalize the application to (Vi ; . . . ; Vi).T that denotes (Vi) . . . {Vi).T. 

It follows from Definition 1(2) that an environment E is always of the form 
C.Sort^i, so we allow the notations E.Xx:W and E.6x<—V by which we mean the 
environments C.Xx:W.Sorth and C.Sx^V.Sorth respectively. 

A focalized term is an ordered pair (E, T) representing a term T closed in an 
environment E. In the "environments as terms" perspective pursued by A^, we 
can also think that such a pair denotes the concatenation of T after E. Namely 
(C.Sort?(,T) may denote the term C.T. We stress that focalized terms play an 
essential role in the substitution lemma for typing, Theorem 8(4), and in the proof 
that the type inference problem is decidable. Theorem 11(2). 

2.2 Some Helper Operators 

Now we can introduce some operators that we will use in the next sections. 

Definition 2 free variables. 

The subset FV(T) contains the free variables occurring in the term T . 
The free variables of a term are defined as usual. 

Definition 3 environment predicate. 

The predicate env(T) states that the term T has the shape of an environment. 

— (sort) env(Sort/,); 

— (compatibility) if cm{T) then 
e\w{\x:W.T) and enY{5x^V.T) and enY{{V).T) and enY{{W).T). 

We need this predicate only because in \8 some terms are not environments (see 
Subsection 1.2) and we use it just in Theorem 12(2). 

The substitution operators we define below arc exploited by the current reduction 
rules (see Subsection 2.3), but we conjecture that these rules can be reformulated 
without mentioning substitution explicitly. 

Definition 4 strict substitution on terms. 

The non- deterministic partial function [y^^W]tT substitutes W for one or more 
occurrences of y in T while it remains undefined if y E FV(Vl^) or if y ^ FV(r). 
The subscript "t" is part of the notation and the '+" recalls "one or more". 

(1) (var) ifyi Y\{W) then [y+^W]ty = W; 

{2) (compatibility) if [y+^W]tVi = Vi and [y+^VFJtTi = T-i then 

(a) (abst) \y^ '^W\t\x-yx-T = Xx-Y^.T and [y+^VF]tAa;:V.Ti = XxN.Ti and 

[y+^W]tXx:Vi.Ti = Xx:V2.T2; 
(&) (abbr) [y+^W]t6x^Vi.T = dx^Vi.T and [y+ ^W]t6x^V.Ti = Sx^V.Ti 

and [y+^W]tSx^Vi.Ti = Sx^V^.Ti; 
(c) (appl) [y+^W]t{Vi).T = {V2).T and [y+^W]t{V).Ti = {V).T2 and 

[y+^W]t{Vi).Ti = {V2).T2; 
{d) (cast) [y+^W]t{V,).T = {V2).T and [y+ ^W]t{V) .T^ = {V).T2 and 

[y+^W]t{Vi).Ti = {V2).T2. 
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As already pointed out in [Guidi 2006], the function that substitutes W for y 
in T can be defined in many different ways. The difference lays in the number 
of occurrences of y that a single application of the function can substitute. The 
choices are: one, one or more, zero or more, all, all if one exists. Our approach 
is to adopt the second choice and we can justify it with some technical reasons 
connected to reduction (see Subsection 2.3). XS currently defines two (5-reduction 
rules (i.e. expansions of local definitions) and we want to use the same substitution 
function in the description of both rules. This consideration rules out the first 
choice of the above list because it invalidates Theorem 3(1), that is a prerequisite 
of Theorem 3(3). The third and the forth choices, that are the most used in the 
literature, do not have this problem, but complicate one of the ^-reduction rules if 
we want to preserve its "orthogonality" (i.e. absence of critical pairs) with respect 
to the C-reduction rule. Is important to stress that this "orthogonality" simplifies 
the proof of Theorem 3(2): another prerequisite of Theorem 3(3). The last choice 
of the above list is simply too complex with respect to the benefits it gives. 

Notice that with our substitution function we can not replace a variable with itself 
but this is not a problem since we use this function just to evaluate the J-redexes, 
i.e. we use it just to expand non-recursive definitions. 

Using the same approach, we can define the strict substitution on environments. 

Definition 5 strict substitution on environments. 
The non- deterministic partial function [y~^-i—W]eE substitutes the term W in the 
environment E for one or more occurrences of the variable y occurring in E . 
The subscript "e" is part of the notation and the '+" recalls "one or more". 
The rules are the following: if [y~^-i—W]tVi = V2 and W]e-Bi = E2 then 

[1) (abst) [y+^W]eXx:Vi.E = Xx:V2.E and [y+^W]eXx:V.Ei = Xx:V.E2 and 

[y+^W]eXx:Vi.Ei = Xx:V2.E2; 
{2) (abbr) [y+^W]e6x^Vi.E = 6x^V2.E and [y+ ^W]e6x^V.Ei = Sx^V.E2 

and [y+^W]eSx^Vi.Ei = 5x^V2.E2; 
(3) (appl) [y+^WUVi).E = {V2).E and [y+^WUV).Et = {V).E2 and 

[y+^WUVi).Ei = {V2).E2; 
{4) (cast) [y+^W]e{Vi).E = {V2).E and [y+^W]e{V).Ei = {V).E2 and 

[y+^Wl{Vi).Ei = {V2).E2. 

The strict substitution on focalized terms is defined following the same pattern. 

Definition 6 strict substitution on focalized terms. 
The non- deterministic partial function [y^<—W]f{E,T) substitutes W in {E,T) 
for one or more occurrences of the variable y occurring in {E, T) . 

The subscript "f" is part of the notation and the '+" recalls "one or more". 

The rules are the following: if [y^ ^W]eEi = E2 and [y^*^W\tTi = T2 then 
[y+^W]f{E^,T) = {E2,T) 'and [y+ ^W\f{E,T^) = {E,T2) and 
[y+^W]fiEun) = {E2,T2). 

The strict substitution on focalized terms is needed to state the substitution 
lemma for the native type assignment in a way that breaks the mutual dependences 
existing between the analogous lemmas stated just for the strict substitution on 
terms and on environments (see Theorem 8). 
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Wi =^W2 Ti^Tz . Vi^ V2 r-i I2 

■ abbr 



\x:W-i_.Ti Xx:W2.T2 5x^Vi.Ti 5x^V2.T2 

Vi ^V2 Ti ^ T2 Wi =^ W2 Ti => T2 

■ appl 



(Vi).Ti ^ (y2).r2 (Wi>.Ti ^ (W2).T2 

Vi =^ V2 Ti ^ T2 ^ y2 Ti ^ T2 [a:+^V"2]tT2 = T 

iVi).Xx:W.Ti ^ Sx*-V2.T2 " 6a:<-Vi.Ti ^ 5a;^y2.T * 

Ti ^ T2 X ^ FV(Ti) Ti ^ T2 Vi ^Vs V2^ Vi Tl =^ T2 



5x^V.Ti^T2 {W).Ti^T2 (Vi).5x^V2.T'i^ Sx'^V4.{V3).T2 



Fig. 2. Environment-free pajrallel reduction rules on terms 



scheme 


redex 


reductum 




^-contraction 


(V).\x:W.T 


-^f, Sx^V.T 




(^-expansion 


Sx^V.T 


-^S Sx^V.[x+^V]tT 


ifxe FV(T) 


(^-contraction 


5x*-V.T 




iix^ FV(r) 


T-contraction 


{W).T 


T 




ti-swap 


{Vi).5x^V2.T 


-^v 5x^V2.{Vi).T 





Fig. 3. Environment-free reduction steps 
2.3 Reduction and Conversion 

The equivalence of terms in Xd is based on environment- dependent conversion, that 
is the reflexive, symmetric and transitive closure of environment- dependent reduc- 
tion. The latter is expressed in terms of environment-free reduction, that is the 
compatible closure of five reduction schemes named: /3, 6, t, w. 

The purpose of the present section is to describe this construction in detail. 

The need for environment-dependent reduction and conversion derives from the 
presence of abbreviations in environments [Kamareddine et al. 1999]: for example 
in the environment E.Sx^V we want to (5-expand the term x to V. 

Definition 7 environment-free reduction on terms. 
The relation Ti T2 indicates one step of environment-free parallel reduction 
from Tl to T2- Its rules are in Figure 2. The reduction steps are in Figure 3. 

Environment-free reduction is presented in its parallel form to ease the proof 
of the Church- Rosser property stated by Theorem 3(2). In fact using parallel 
reduction, we bypass the necessity to trace redexes as done in [Barendregt 1993]. 

The effect of a step Ti T2 is to reduce a subset of the redexes appearing in Ti . 

The /3 scheme does not perform a full /3-contraction in the usual sense, but 
converts a /3-redex into a (5-redex or a ^-redex, leaving the rest of the contraction 
to these two schemes. The 5 scheme expands (i.e. unfolds) some instances of an 
abbreviation (but not necessarily all of them), so the binder remains in place after 
the expansion to allow other instances of the same abbreviation to be unfolded 
if necessary. The C scheme removes the binder of a fully expanded abbreviation 
(this can be related to COQ [Coq development team 2007] but the Q scheme of COQ 
unfolds the abbreviation before removing its binder, which we do by invoking the 
5 scheme). The r scheme makes type annotations eliminable up to reduction. In 
this way, we express the fact that these items are not strictly essential for reduction 
and typing. The v scheme is thought to contract the /3-redex {Vij.Xx-.W when 

ACM Transactions on Computational Logic, Vol. V, No. N, Month 20YY. 



12 • Ferruccio Guidi 



Wl W2 El E2 Vi V2 El =^^e E2 

■ abbr 



E E \x:Wi.Ei \x:W2.E2 Sx^Vl.Ei Sx*-V2.E2 

Vl V2 El ^n,e E2 Wl 14^2 El ^-we E2 

{Vl).Ei iV2).E2 {Wl).Ei^^e{W2).E2 



Fig. 4. Weak parallel reduction rules on environments 

Ti ^Ta E = Ci.5x<-V.C2 Ti T2 [x+i-V]tT2 = T 

E\-Ti^T2 EhTi^T 



Fig. 5. Environment-dependent parallel reduction rules 

its two items are separated by an extraneous abbreviator (i.e. Sy-i—V2). Without 
the w-swap, the /3-rcdcx would be created only after removing this abbreviator by 
(■-contraction; this means that the associated abbreviation should be completely 
unfolded before the removal. With the u-swap, instead, we can obtain the /?-redex 
without any unfolding and this is certainly more desirable in realistic use cases. 

It is worth remarking how the full /3-contraction is achieved in this calculus: 
the full /3-contraction performs three atomic actions on the term {V).Xx:W.T: it 
removes the applicator, it removes the binder, it substitutes V for all occurrences of 
X in T. In X6 special care is taken for having three different reduction schemes that 
take charge of these actions. The (3 scheme is responsible for removing the applicator 
(the binder is changed but it is not removed). The substitution is performed by 
invoking the 6 scheme one or more times as long as x occurs in T. When the 
substitution is completed, the ( scheme can be applied and the binder is removed. 

As we see, the five reduction schemes are "orthogonal" or "primary" in the sense 
that a given redex belongs to just one scheme and therefore it reduces in a unique 
way. This means that we never have critical pairs. Here we are using "primary" as 
opposed to "auxiliary" of [Kamareddine and Bloo 2005b; 2005a]. Other primary or 
auxiliary reduction schemes might be considered as well. 

The above reduction allows to define a weak parallel reduction on environments, 
which we use to prove the subject reduction results Theorem 9(1) and Theorem 2(1). 
This reduction is weak in the sense that it involves just the terms appearing in the 
environment items and not the environment items themselves. 

Definition 8 weak reduction on environments. 

The relation Ei =>u)e E2 indicates one step of weak parallel reduction from the 
environment Ei to the environment £'2- Its rules are shown in Figure 4- 

Definition 9 Environment-dependent parallel reduction. 

The relation E \- Ti ^ T2 indicates one step of environment- dependent parallel 
reduction from Ti to T2. Its rules are shown in Figure 5 and the reduction steps 
are shown in Figure 6. Moreover the relation E \- Ti =>* T2 is the transitive closure 
of \- ^ and the relation E \- Ti <s^* T2 is the symmetric and transitive closure of 
\- =>, that we call environment- dependent parallel conversion. 

Also environment-dependent reduction is presented in its parallel form to ease the 
proof of confluence with itself (Theorem 3(3)). The effect of a step S h Ti T2 is 
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scheme 


redex reductum 


i5-expansion 


Ci.Sx^V.C2\- T [x+^V]tT ifxeFV{T) 



Fig. 6. Environment-dependent reduction steps 

to reduce a subset of the environment-free redexes appearing in Ti and, optionally, 
to expand one or more instances of a global abbreviation stored in E. 

We are aware that the 6 rule of Figure 5 could be improved by using environment- 
dependent reduction in place of environment-free reduction in the second premise. 

Finally we discard the widely used notation with the = sign for the conversion 
relation because we feel that = should be reserved for a generic equivalence relation. 
We could use =fjS(;Tv to indicate that conversion is equality up to the indicated 
reduction steps, but this notation does not make clear whether these steps are 
actually performed sequentially or in parallel. 

We recall that a term is normal or in normal form [Barcndrcgt 1993] when it 
can not be reduced. Here we use the following definition of a normal term. 

Definition 10 normal terms. 

The predicate ni{E, T), stating that the term T is normal with respect to context- 
dependent parallel reduction E h =>, is defined as follows. 

nf{E, Ti) iff for each Ta, £" h Ti ^ Ta implies Ti = T2. (3) 

Here wc are taking into accotmt the fact that h => is a reflexive relation. 

We can also extend the normal form predicate to a list of terms meaning the 
conjunction of the predicate applied to each element of the list. 

According to [Girard et al. 1989; Barendregt 1993] a term T is strongly normal- 
izable if there is no infinite sequence of reduction steps starting from T. 

Definition 11 strongly normalizable terms. 

The predicate sn{E,T), stating that the term T is strongly normalizable with 
respect to context-dependent parallel reduction E \- is inductively defined by one 
clause that is a higher order rule: 

If for each T2, Ti ^ T2 and E \- Ti ^* T2 imply sn{E, T2), then sn{E, Ti) (4) 

Indeed liEVTi ^* T2 for all T2 7^ Ti, then Ti is normal and su{E,Ti) holds a 
fortiori. This is the base case of the structural induction defined by Rule (4) . 

Essentially we borrowed this definition from [Letouzey and Schwichtenberg 2004] 
but we had to take into account the fact that E h ^* is a reflexive relation. More- 
over we would prefer to use _E h => in place of E\- ^* but E\- ^ \s not per- 
fectly designed yet and some desirable properties fail to hold: for instance even if 
£! h Fi ^ ^2 and h Ti ^ T2, it is not true that E h (Vi).ri ^ {¥2)^2. 

We can also extend the strong normalization predicate to a list of terms meaning 
the conjunction of the predicate applied to each element of the list. 

2.4 Native Type Assignment 

In this subsection we present the native type system of X5. Another type system, 
originally due to de Bruijn, is presented in Subsection 2.5. 
The type judgement depends on the parameter defined below: 
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E \-g Sorth ■■ Sortg(ft) 
E = Ci.Sx^V.C2 CihgV iW ^ E = Ci.\x:W.C2 CihgW:V 

E\-gx:W 
E\-aV -.W E.Sx^V \-aT:U 



■ abbr =- r ___ _ — ___ __ abst 



E \-g Sx^V.T : Sx^V.U E hg Xx:W.T : Xx-.W.U 

^.\-aT -.W 



Ehg {V).T : {V).\x:W.U '^^^^ E h g (W) .T : {V) .W 
EhgUi-.W E\-gT:Ui E\-Ui<^*U2 
EhgT:U2 -^""^ 



Fig. 7. Native type assignment rules 

Definition 12 sort hierarchy parameter. 

The sort hierarchy parameter is a function : IM — > IM that satisfies the strict 
monotonicity condition: h < g{h) for all h. 

The value g{h) is the index of the sort that types Sort/j and the monotonicity of 
g is the simplest condition ensuring a loop-free type hierarchy of sorts. We use this 
condition to prove Theorem 10(6) (impossibility of typing a term with itself). 

Notice that g is a total function but in the most general case a partial function 
should be used. This would allow sort hierarchies with top-level elements as the 
ones of many typed A-calculi. Nevertheless this generalization is inconvenient since 
it complicates several theorems about typing without increasing the expressiveness 
of the calculus, in fact any sort hierarchy with top-level elements can be embedded 
in a sort hierarchy without top-level elements. 

Definition 13 native type assignment. 

The native type judgement has the form E \-g T : U where g is a sort hierarchy 
parameter. Its rules are shown in Figure 7. 

Notice that the XS type judgement does not depend on the notion of a legal 
(i.e. well formed) context as it happens in other type systems (see for instance 
[Maietti and Sambin 2005]). This is because an unreferenced variable needs a legal 
declaration only if it is the formal argument of a function. This approach, which 
is closer to a realistic implementation of a type checker, has the technical benefit 
of simplifying the proofs of the properties of types because the mutual dependence 
between the type judgement and the legality judgement disappears. 

The type policy of is that the type rules should be as close as possible to the 
usual rules of typed A-calculus [Barendregt 1993]. The major modification lays in 
the type rule for abstraction, that is the composition of the usual type rules for A 
and for 11. Here are the type rules for A and for 11 in the A-cube. 

r,x:A\-b:B T \- {U^.,a.B) : s T \- A : Si T,x:A\- B : S2 

r h {\,.,A.b) : (n^-.A-B) r h {ii,..a.b) S2 ^ ' 

In XS we want to type an abstraction with an abstraction, therefore we remove the 
second premise of the first rule and the conclusion of the second rule. Then we make 
a single rule by combining the remaining judgements and by turning the 11 into a 
A. In addition we generalize the sorts si and S2 to arbitrary types. Moreover we 
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stj,(_E, Sorth) = Sortg(ft) 
E = Ci.Sx^V.C2 stg{Ci,V) = W E = Ci.\x:W.C2 stg(Ci,W) = V 



stg{E,x) = W stg{E,x) = W 

stg{E.Sx^V,T) = U stg{E.Xx:W,T) = U 

abbr ; — TT= — r ___ r ___ __ — abst 



stg(E, Sx^V.T) = Sx^V.U stg{E, \x:W.T) = \x:W.U 

Stg(E.T) = U Stg{E,V) = W Stg{E,T) = U 

stg{E,{V).T) = iV).U "PP' stg{E,(V).T) = (W).U 



Fig. 8. Static type assignment rules 

recently noticed that the second premise of the second rule becomes unnecessary. 
The rule we obtain at the end is Figure 7(abst). An important consequence of 
this rule, expressed by Theorem 10(1), is that a term and its type have the same 
functional structure, i.e. they take the same number of arguments when they are 
interpreted as functions, moreover the corresponding argiunents of these functions 
have the same type. Stated in other words, a type fully determines the number of 
arguments taken by its inhabitants and the types of these arguments. 

Figure 7(abbr) follows the scheme of Figure 7(abst) and is compatible with the 
commonly accepted Rule (6) for typing abbreviations found in [Coq development 
team 2007] since B[x := A] and {Sx=a-B) are ^C-convertible. Notice that C does 
not need to be a sort in this rule. 

r,x=A'rb:B ThA:C 
F h (S^=A.b) : B[x := A] 

In the spirit of Figure 7(abbr), the rule typing the application (Figure 7(appl) 
that we borrow from [Kamareddine et al. 1999]) does not apply any reduction at 

the level of types (like Rule (6) does, unfolding the abbreviation in the term B). 

The technical benefit of this approach is that the reductional behavior of the type 
judgement is confined in the so-called "conversion rule" . 

More sophisticated forms of typing, involving reductions in the environment (in 
the sense of Subsection 2.3) might be considered as well. 

2.5 Static Type Assignment 

The so-called de Bruijn type assignment (typ in [de Bruijn 1993] and in the Au- 
tomath tradition) is a function introduced by de Bruijn as part of the type checking 
algorithm for the language Aut — 68. Here we define the analogous concept in XS. 

Definition 14 Static type assignment. 

The partial function stg{E,T) evaluates the static type of a term T in the envi- 
ronment E, which depends on the parameter g. Its rules are shown in Figure 8. 

The non- deterministic partial function st+ (i?,T) evaluates the composition of 
one or more applications o/stg to T in E. The '+" recalls "one or more". 

Notice that this type is assigned by means of syntax-oriented rules that do not 
involve reduction, that is why we term this type static in this paper. 

Obviously this feature makes the computation of the static type very fast. An- 
other consequence is that the static type of a term inherits the binders and redexes 
of that term (i.e. it may have more binders and redexes but not less). 
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Besides being a very well established notion that also X6 can deal with, the 
static type is relevant in this paper for two theoretical reasons. Firstly it allows to 
define an immersion of T into E that opens the road to a dualization of terms and 
environments (see Appendix B). Secondly it is used in Subsection 2.6 to justify the 
notion of arity, that plays an important role in connecting XS to A^. 

2.6 Arity Assignment 

The notion of arity [Nordstrom et al. 1990] (skeletons in [Barras 1996]) as a descrip- 
tion of the functional structure of a term it is not strictly necessary in XS as well as 
the data type L used to represent it (since arities can be encoded into terms). But 
both are useful from the technical standpoint. Arities are expected to provide for 
a connection between the terms of XS and the types of a suitable version of A^, 
they facilitate the proof of the strong normalization theorem (see Theorem 6(9)) 
and they speed up the proofs of the last three clauses of Theorem 10. 

Definition 15 arities. 

The set of arities is defined as follows: 

L = {^,^)\L^L (7) 

The arities of the form {h, k) are called nodes and are ordered pairs. 

In the following, the variable L will always range over the data type L. 
The arity of a term T has the form L = Li L2 —>^ ■ ■ ■ —>^ Li ^ (h, k) and it 
describes the following features of T: 

— the position of T in the type hierarchy is the node {h,k). By this we mean 
that iterating k times the static typing operation on T, we obtain a term whose 
rightmost item is Sort^ (this term exists as shown by Theorem 12(2)); 

— T is a function taking exactly i arguments (i.e. a function of arity i); 

— for each j between 1 and i, the j-th argument of T must have arity Lj. 

By looking at its shape, it should be clear that an arity is a type of the instance 
of A^ in which we take the nodes as basic types. 

Notice that our arity of T, containing the position of all arguments of T, is more 
informative than the skeleton of [Barras 1996] that only records the position of T. 

Also notice that we can not expect a term to have a unique position since each 
term at position {h, k) is also at position {g{h), k + 1).^ 

In order to assign an arity to a declared variable we need a function connecting 
the arity of a term to the arity of its type. Here we present the strict successor 
function defined below but we are not positive on the fact that this is the best 
choice and we see two alternatives that might be considered as well. 

The strict successor of a node depends on the sort hierarchy parameter g and the 
strict successor of an arity is a natural extension of the former. We also introduce 
the strict sum as the iterated composition of the strict successor. 

Definition 16 the strict successor and the strict sum. 

The strict successor of the arity L, denoted by L+gl is defined as follows: 



^The converse is not true in general. 
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(h2,k2) +g k ^ Ll =g L2 L3 =g L4 ^ 

(/lljfel) =g (^2,^2) Ll — » L3 =g L2 — » L4 

Fig. 9. Level equality rules 
{h,0)+gl = {g{h),0) 

{h,k+l)+gl = {h,k) (8) 

(Ll ^ L2) +3 1 = Ll ^ (L2 +<, 1) 
The strict sum L +g k is the composition of k strict successors applied to L. 

We may think of the type hierarchy induced by the parameter g as an oriented 

graph in which the arcs are drown from each node L to its strict successor L +g 1. 

Coming now to the problem of defining the level (class in [Barras 1996]) of a node 
in the type hierarchy graph, i.e. the height of this node from a reference point, we 
observe that this notion can not be given in absolute terms (as it happens in the 
type hierarchies with top-level elements or bottom-level elements) because in our 
case the graph can be disconnected so no node can be taken as a global reference 
point. The best we can do is to define what it means for two nodes Li and L2 to 
be at the same level by saying that they must have the same height relatively to a 
third node L3 to which they are both connected. 

So we say that the nodes Li and L2 are at the same level in the type hierarchy if 
there exists k such that Li +g k = L2 +g k and we express this concept as follows. 

Definition 17 level quality. 

The level equality predicate Li =g L2 is defined by the rules in Figure 9. 
Notice that —g is an equivalence relation and that {h,k) =g {g{h),k + 1) in fact 

{h, k) +g {k + l) = {g{h),0) = {g{h),k + 1) +g {k + 1). 

Formally the levels of the type hierarchy are the equivalence classes of =g. 

If wc chose g{h) = h + 1, the levels of the corresponding type hierarchy arc iso- 
morphic to the integer numbers, as shown by Theorem 13, and the integer number 
associated to the equivalence class containing the node {h, k) is h — k. This result 
is consistent with the intuition according to which the type hierarchy of X6 has an 
infinite sequence of levels both above and below any reference point. ^ 

It is important to remark that the decidability of the predicate =g depends on 
the choice of the parameter g. This predicate is undccidablc in general but it is 
decidable for some choices of g, for instance for the one above. 

Now we have all the ingredients to define the arity assignment. 

Definition 18 arity assignment. 

The arity assignment predicate is E \-g T > L and means that the term T has 
arity L in the context E with respect to g. Its rules are given in Figure 10. 



^If wc define (h, k) +g z = (h, k — z) when z < 0, then the function z L +g z from the integer 
numbers to L is injective with respect to =g in the sense that L +g zi =g L +g Z2 implies zi = Z2- 
This fact is not proved in [Guidi 2007a] yet. 
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E\-gT>Li Li 



L2 



■ repl 



Ci.Sx^V.C2 Ci\-gV>L 



EhgVoLi E.Sx^V hq T > La 



def 



E hg Sx^V.T t> L2 

EhgVoLi E hg T > Li ^ L2 
Ehg {V).T>L2 



E ■- 



E hg Sorth [> (h, 0) 
■ Ci.\x:W.C2 D\-g 



Wt>L+„l 



■ decl 



E.\x:W hg T > L2 



appl 



E hg Xx:W.T > Li ^ L2 

Eh„Wt>L+„l Eh„Tt>L 



Ehg {W).T>L 



Fig. 10. Arity assignment rules 

In this paper we assign the arity up to level equality, but we suspect that other 
(more desirable) solutions are possible as well. 

2.7 Domain-Based Preorders on Environments 

We recall that a variable occurrence a; is a placeholder for a member of a given 
subset of terms, which is called the domain of a;. In our case if x is bound in the 
environment Ei = C.\x:W then x stands for any term of type in C so its domain 
is 2?i = {T \ C T : W}. On the other hand if x is bound in the environment 
E2 = C.dx<—V then x stands only for V so its domain is 1^2 = {T \ T = V}. 

If we now assume C \-g V : W, we see that X>2 C Vi and we are led to define the 
following preorder on environments such that E2 Ex holds. 

Definition 19 domain-based preorder on environments. 

The relation E2 :<g Ei holds when the environments E2 and Ei bind the same 
variables and for each of these variables, its domain in E2 is contained in its domain 
in El 7 The rules of this relation are given below: 

— (sort) Sort/i :<g Sort/i/ 

— (compatibility) if C2 :<g Ci then Xx:W.C2 d^g Xx:W.Ci and 
6x^V.C2 <g Sx^V.Ci and {V).C2 dig {V).Ci and {W).C2 <g {W).Ci; 

— (abst) ifC2 dg Ci and C2^gV :W and Ci\-gV :W then 
C2.Sx^V dg Ci.Xx:W. 

The preorder dg is an auxiliary notion we use to prove the subject reduction prop- 
erty of the native type assignment, Theorem 9(1), in the case of the /3-contraction 
because of the shapes of the /3-reductmn (Figure 3), of Figure 7(abst) and of Fig- 
ure 7(abbr). In fact we know that the calculi in which the /3-reductum exploits an 
explicit substitution in place of an abbreviation, do not need this apparatus. 

If we relax the minor premises of Definition 19(abst) by expressing them in terms 
of the arity assignment, we obtain the preorder defined below: 

Definition 20 relaxed domain-based preorder on environments. 
The relation E2 Qg Ei is defined like E2 dg Ei but Definition 19(a.hst ) is replaced 
by the following axiom: 

— (abst) if C2 Eg Ci and C2 ^g V > L and Ci \-g W > L +g 1 then 
C2.Sx^V Eg Ci.Xx:W. 

''In [Guidi 2007a] we axiomatized the relation "Ei >zg E2" rather than "E2 :<g Ei" . 
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We use this preorder as an auxiliary notion to prove the subject reduction prop- 
erty of the arity assignment, Theorem 2(1), in the case of the /3-contraction be- 
cause of the shapes of the /3-reductum (Figure 3), of Figure lO(abst) and of Fig- 
ure lO(abbr). We stress that Qg is undecidable in general because it involves =g. 

Notice that Theorem 10(3) states that E2 -<g Ei implies E2 Eg Ei but we argue 
from Theorem 14 that the converse does not hold in general. 

3. THE THEORY OF X5 

In this section wc present the main properties of the notions we introduced in 
Section 2. In particular we give the results on arities (Subsection 3.1), on reduction 
and conversion (Subsection 3.2), on native types (Subsection 3.3) and on static types 
(Subsection 3.4). Notice that here wc arc forced to order the topics in a slightly 
different way with respect to Section 2 because we want to follow the dependency 
graph of the theorems we present. In Subsection 3.5 we give some theorems about 
concrete terms and instances of the parameter g having interesting properties. 

3.1 Results on the Arity Assignment 

The arity assignment is an auxiliary notion in \5, that wc mainly introduced just to 
reduce the strong normalization of X6 to that of A^. Furthermore the replacement 
arity assignment rule. Figure lO(repl), its not satisfactory because it involves the 
level equality predicate, which is undecidable in general. For these reasons we prefer 
not to insist on the results on arities and wc just give some examples below. 

Theorem 1 main properties of arities. 

{1) (every node is inhabited) 

For all h, k there exist C, T such that C \-gT \> {h, k) . 
(2) (uniqueness of arity up to level equality) 

If C \-g T \> Li and C \-g T t> L2 then Li =g L2- 
{3) (substitution in focalized terms preserves the arity) 

IfCi hg Ti L and Ci = E.Sx^V.E' and [x+^V]f{Ci,Ti) = (C2,T2) then 

C2 T2 > L. 

{4) (monotonicity of the arity assignment with respect to Qg) 
IfCi\-gT>L and C2 Eg Ci then C2 hg T > L. 

Proof. Clause (1) is proved by induction on k. Clause (2) is proved by induction 
on the first premise and by cases on the second premise. Clause (3) is proved by 
induction on the first premise and by cases on the third premise. Clause (4) is 
proved by induction on the first premise with some invocations of Clause (2). □ 

The subject reduction property of the arity assignment is proved by the theorem 
below. The main part of the proof is in the base case, where a single step of 
environment-free parallel reduction is considered. The possibility to reduce some 
terms inside the environment is essential here. The general case is just a corollary. 
As a consequence, the level of a term in the type hierarchy is preserved by reduction. 

Theorem 2 subject reduction. 

(1) (base case) 

If Ci \-gTi>L and Ci =>^e C2 and Ti T2 then C2 T2 > L. 
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(2) (general case without the reduction in the environment) 
IfC\-Ti ^* T2 and C\-gTi>L then C hg T2 > L. 

Proof. Clause (1) is proved by double induction on the first and third premise. 
In the case of Figure lO(abbr) against Figure 2(6) we exploit Theorem 1(3), and in 
the case of Figure lO(appl) against Figure 2(/3) we exploit Theorem 1(4). Clause 

(2) is proved by induction on the first premise via the previous clause. □ 

3.2 The Results on Reduction and Conversion 

The most relevant properties of reduction and conversion are listed below. 
Theorem 3 main properties of reduction and conversion. 

(i) (confluence of ^ with strict substitution) 

IfTi =^ T2 and [x+^Wi]tTi = Ui and Wi W2 then Ui T2 or there exists 

U2 such that Ui U2 and [a;+<— W2]t^2 = U2. 
{2) (confluence of ^ with itself: Church-Rosser property) 

If Tq =^ Ti and Tq =^ T2 then there exists T such that Ti T and T2 =^ T. 

(3) (confluence of h with itself: Church- Rosser property) 

IfC\-Ta ^* Ti and C \- Tq ^* T2 then there exists T such that C \- Ti ^* T 
and ChT2^* T. 

(4) (thinning of the applicator for h -i^*) 
IfC\-Ti T2 then C h {V).Ti {V).T2. 

(5) (com,patibility for \- <f^* : first operand) 

IfC^Vi ^* V2 then C V- \x:Vi.T \x:V2.T and C h {Vi).T ^* {V2).T and 
C h Sx^Vi.T 6x^V2.T and C h {Vi).T {V2).T. 

(6) (compatibility for \- : second operand) 

If C.\x:V h Ti T2 then C h Xx-.V.T^ \x:V.T2; if CIx'^V h Ti T2 
then C V- Sx^V.Ti ^* 5x^V.T2. 

(7) (generation lemma on abstraction for h ) 

IfCV- \x:Vi.Ti ^* \x:V2.T2 then C h Fi V2 and for all V, 
C.\x:V h Ti ^* T2. 
{8) (ri-conversion for the terms that convert to X- abstractions) 
IfChT^* Xx:W.U andC\-V^*W and x ^ FV(T) then 
C h Xx:V.{x).T ^* T. 

Proof. Clause (1) is proved by induction on the first premise and by cases on 
the second premise. Clause (2) is proved by induction on Tq and by cases on the two 
premises. Here we must assume that the inductive hypothesis holds for all proper 
subterms of Tq. Clause (3) is a standard corollary of the previous clause, proved 
using the "strip lemma" [Barendregt 1993]. Clauses (4), (5), (6) are immediate. 
Clause (7) is proved by induction on the premise with the standard technique used 
for generation lemmas [Barendregt 1993]. Clause (8) is a corollary of clause (4). □ 

The main result on reduction is Church- Rosser property, while the main result on 
conversion is its generation lemma on abstraction: a desirable property mentioned 
in [van Daalen 1980]. The other properties, stating that conversion is a congruence, 
are referenced in Appendix A. 

What follows is a classification of the normal terms having an arity: 
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Theorem 4 the normal terms with an arity. 

If C \-g T > L and nf (C,T) then there exist V, U, W, x, h such that: 

{1) T = Xx:W.U andnf{C,W) and ni{C.Xx:W,U) or 

(2) T = Sort,, or 

{3) T = (y).x anrfnf(C,F) andni{C,x). 

Proof. By induction on the first premise and by cases on the second premise. □ 

The strong normahzation theorem outhned below, stating that every term with 
an arity is strongly normalizable, is one of the relevant results of the present paper. 

If we consider the connections between \5 and that we briefly sketched in 
Subsection 2.6, it should not be a surprise that the proof of strong normalization 
proposed by Tait for A— > can be adapted for \5. Namely both the definition of the 
strong reducibility candidates and the overall proof method are the same. 

Our formalization follows essentially the version of Tait's proof reported by 
[Loader 1998]. Other references we considered are [Letouzey and Schwichtenberg 
2004; Girard et al. 1989; Cescutti 2001; van Oostrom 2002]. The main difference 
with respect to [Loader 1998] is that we can use abbreviations in place of explicit 
substitutions because of the shape of our /3-reductum (see Figure 2(/3)). 

Definition 21 the strong reducibility candidates. 

The subset of the focalized terms that are strong reducibility candidates of arity 
L (with respect to the parameter g) is here denoted by [L]g and it is defined below. 

{E,T) e[{h,k)]g iff EhgTt. {h,k) andsn{E,T) 

{E,T) G [Li L2]g iff Ehg T > Li ^ L2 and for each C, Ci, C2, V, (10) 
(C, V) 6 [Li]g and C = C1.E.C2 imply (C, (y).T) e [Lzjg 

Notice that the possibility of exchanging the binders of the environment C is 
silently assumed at least in Theorem 6(5) below (see [Loader 1998]). Thus Defini- 
tion 21 must be rephrased carefully when binders are referenced by position instead 
of by name (i.e with de Bruiju indexes) as in [Guidi 2007a] (see Definition 33). 

We also define a version of the relaxed preorder on environments (Definition 20) 
for use with the strong reducibility candidates, which we need in Theorem 6(8). 

Definition 22 relaxed preorder on environments for candidates. 
The relation E2 Ei is defined like E2 ^g Ei but Definition 20(-abiii) is re- 
placed by the axiom below. The notation "rc" stands for "reducibility candidates". 

— (abst) ifC2 'Q'g Ci and {C2,V) G [L]g and {Ci,W) e [L+g l\g then 
C2.6x^V IZl" Ci.Xx:W. 

Here are the main results on the preorder we just defined: 
Theorem 5 main properties of the relation 11;^'=. 

(i) (the preorder for candidates implies the relaxed preorder) 

IfC2 Q'g^ Ci then C2 Eg Ci. 
{2) (monotonicity of the arity assignment with respect to Q'^g) 

If C2 Eg'^ Ci and Ci\-gT\>L then C2 T o L. 
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Proof. Clause (1) is easily proved by induction on its premise. Clause (2) is a 
corollary of the previous clause and of Theorem 1(4). □ 

The strong normalization property, which we write as C \-g T t> L implies 

sn(g, T), is not proved as is, but is derived from a number of lemmas, which must 
be suitably generalized in order to be proved. 

Theorem 6 main properties of the strongly normalizable terms. 

{1) (normal terms are strongly normalizable) 

//nf(C,T) thensn{C,T). 
{2) (candidate type cast) 

If {C, {V).V) G [L +g l]g and {C, (F).T) e [L]g then {C, {V).{V).T) € [L]g. 

{3) (candidate reference to abbreviation) 

If {C, {V).V) G [L]g and C = D.Sx^V.D' then (C, {V).x) G [L]g. 

{4) (candidate reference to abstraction) 

IfChg {V).x t> L and ni{C,x) and sn(C,F) then (C, (F).x) G [L]g. 
(5) (candidates are strongly normalizable) 

If{C\T) e [L]g then sn(C,T). 

{6) (candidate abbreviation) 

If{C.dx^V,{V).T) G [L2]g and {C,V) G [Li]g then {C,{V).6x^V.T) G [L2]g. 

(7) (candidate /3-redex) 

If {C^(y).Sx^V.T) G [L2]g and {C,V) G [Li]g and {C,W) G [Li +g l]g then 
{C, {¥).{¥). Xx:W.T) G [Lajg. 

(8) (terms with an arity are candidates, general case) 
IfCi^gTt>L and E = Ci.D and C2 Eg" E then (C2,T) G [L]g. 

{9) (term,s with an arity are candidates) 
IfC^gT>L then {C,T) G [L]g. 

Proof. Clause (1) is immediate. Clauses (2). (3), (4) and (5) are proved by 
induction on L. Notice however that clauses (4) and (5) must be proved simul- 
taneously. Clauses (6) and (7) are proved by induction on L2 by invoking clause 
(5). Clause (8) is proved by induction on its first premise and by cases on its third 
premise; here we invoke the clauses (2), (3), (4). (6), (7) with V as the empty list 
o but this assumption is too weak to prove the clauses themselves; in the proof we 
also invoke Theorem 5(2). Clause (9) follows from the previous clause. □ 

The fact that every term with an arity is strongly normalizing follows from the 
composition of Theorem 6(9) (the main result) and Theorem 6(5), but notice that 
the converse is not true in general as we imply from Theorem 6(1) and Theorem 15. 

3.3 Results on the Native Type Assignment 

The first result about the type system is the generation (i.e. inversion) lemma, 
whose aim is to invert the type assignment rules of Definition 13. 

Theorem 7 generation lemma for native type assignment. 

(i) (generation lemma on sorts) 

If C \-g Soith : T then C \- Sortg(h) <(=>* T. 
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{2) (generation lemma on bound references) 

IfC\-gX:T then there exist E, E' , V, U such that C\-U ^* T and 

C = E.Sx'^V.E' and E \-gV : U or there exist E, E' , V, U such that 

ChV <^*T andC = E.XxiV.E' and E^gV -.U. 
{3) (generation lemma on abbreviations) 

IfC Sx^V.Ui : T then there exist U2, U such that C h Sx^V.U^ T and 

C^gV-.U and C.6x^V \-g U^:U2. 

[4) (generation lemma on abstractions) 

If C hg \x:V.Ui : T then there exist U2, U such that C h Xx:V.U2 T and 
C^gV :U and C.Xx:V hg t/i : C/2. 

[5) (generation lemma on applications) 

IfC\-g {Vi).Ui : T then there exist V2, U2 such that C h {Vi).Xx:V2.U2 T 
and C^gUi: Xx:V2.U2 and C^gVi: V2. 

[6) (generation lemma on type annotations) 

IfC\-g {V).U : T then there exists Vq such that C h {Vo).V T and 
C^gU-.V andC\-gV :Vo. 

Proof. All clauses arc proved by induction on the premise with the standard 
technique used to prove generation lemmas in general [Barendregt 1993]. □ 

Some important properties of the native type assignment are listed below. 

Theorem 8 main properties of native type assignment. 

{!) (thinning preserves type) 

//C2 hg Ti : T2 and Ci = D' .C2.D" then Ci hg Ti : T2. 
[2) (correctness of types) 

If C hg Ti : T2 then there exists T3 such that C \-gT2 :Ts. 
(5) (uniqueness of types up to conversion) 

IfC^gT-.Ti and C^gT ■.T2 then C h Ti ^* T2. 
{4) (substitution in focalized terms preserves the type) 

If Ci Kg Ti : T and [x+^V\f{Ci,Ti) = (C2,T2) and Ci = E.Sx^V.E' then 

C2 hg T2 : T. 

(5) (substitution in terms preserves the type) 

IfChgTi-.T and [x+^V]tTi = T2 and C = E.Sx^V.E' then C hg T2 : T. 

(6) (substitution in environments preserves the type) 

IfCi hg T : To and [x+^V]eCi = C2 and Ci = E.Sx^V.E' then C2 hg T : Tq. 

(7) (monotonicity of the type assignment with respect to :<g) 
If Ci hg Ti : T2 and C2 ^g Ci then C2 hg Ti : T2. 

(8) (type checking implies type inference) 

IfC\-gT:V then there exists U such that C hg {V).T : U. 

Proof. Clause (1) is proved by induction on the first premise. The proof of 
clauses (2) and (3) is by induction on their first premise and contains invocations 
of Theorem 7 and of clause (1). Clause (4) is proved by double induction on the 
first two premises and by invoking the previous clauses. The statements (5) and (6) 
are mutually recursive so we prove them as corollaries of clause (4). Clause (7) is 
proved by induction on the first premise. Clause (8) is a corollary of clause (2). □ 
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A consequence of Theorem 7(6) is that if {W).T is typable in E then T has type 
W in E. The converse also holds by Theorem 8(8) and this implies that in A^, type 
checking can be expressed in terms of type inference [Barcndregt 1993]. 

Theorem 8(7) is the most relevant result about the preorder <g. 

The subject reduction of is one of the main results we are presenting in this 
paper. The main part of the proof is concentrated in the base case, where a single 
step of environment-free parallel reduction is considered. The possibility to reduce 
some terms appearing inside the environment is essential here (see [Kamareddine 
et al. 1999]). The general case is just a simple corollary. 

Theorem 9 subject reduction and corollaries. 

{1) (base case) 

If Ci\-g T : T2 and Ci C2 and T ^ Ti then C2 \~g Ti : T2. 
(2) (general case without the reduction in the environment) 

IfC'rT^*Ti and C\-gT ■.T2 then C Ti : T2. 
(5) (inverse 0} type preservation by thinning) 

IfCi \-gT:Ti and Ci = D' .C2.D" then there exists T2 such that 

Ci h T2 ^* Ti and C2 hg T : T2. 

(4) (type reduction) 

IfChgT -.Ti and C h Ti ^* T2 then C\-gT: T2. 

(5) (subject conversion: first case) 

IfChg Ui : Ti and C hg C/2 : T2 and C h f/i U2 then C h Ti Tj. 
{6) (subject conversion: second case) 

IfC^g Ui : Ti and C [/a : T2 and C ^ Ui ^* U2 then C^gUi: T2. 

Proof. Clause (1) is proved by induction on the first premise and by cases 
on the third premise with frequent invocations of Theorem 7, Theorem 8(1) and 
Theorem 8(2). In the case of Figure 7(abbr) against Figure 2{5) we exploit Theo- 
rem 8(5), and in the case of Figure 7(appl) against Figure 2(/3) we exploit Theo- 
rem 8(7). Clause (2) is corollary of the previous clause proved by induction on the 
first premise. Clause (3) is proved by induction on the first premise. Clauses (4) and 

(6) are corollaries of Theorem 8(2). Clause (5) is a corollary of Theorem 8(3). □ 

We would like to stress that the proof of the subject reduction is more difficult 
in XS than in the A-cube because in XS we can not assume that the type of the type 
of a term is a sort (as it is often done in A-cube). 

With Theorem 9(1) we avoid the simultaneous induction with which many au- 
thors, including [Kamareddine et al. 1999], prove the results like Theorem 9(2). 
Notice that Theorem 9(6) is stated as a desired property in [van Daalen 1980]. 

Some properties of the type system are proved more easily invoking arities be- 
cause arities are assigned up to level equality instead of up to conversion and level 
equality is easier to manage being defined by simpler rules. The other rules of the 
arity assignment have the same complexity of the corresponding rule for the types. 

Theorem 10 some properties of types proved using arities. 

{1} (typed terms have an arity) 

IfC \-g Ti : T2 then there exists L such that C \-g Ti > L and C \-g T2 \> L +g 1. 
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{2) (typed terms are strongly normalizable) 
IfC\-gT:U then sn(C,T). 

(5) (the preorder on environments implies the relaxed preorder) 
IfC2 =<<, Ci then C2 Ci. 

(4) (abstraction is predicative) 

IfChg Xx:V.T : U then C!r^U^*V. 

(5) (abstraction is not absorbent) 

IfC \-g Xx-.V.T : Ui andC.Xx-.V \-gT ■.U2 andx ^ FV(f/2) thenCI^ Ui U2. 

(6) (terms can not be typed with themselves) 
IfCrgT-.U then CVU ^*T. 

Proof. Clause (1) is a consequence of Theorem 2, it is proved by induction on 
its premise and it is a prerequisite of the other clauses. In particular clause (2) is a 
corollary of Theorem 6(9) and Theorem 6(5), Clause (3) is proved by induction on 
its premise by invoking Theorem 1(4). clause (4) invokes Theorem 7(4), clause (5) 
invokes Theorem 8(2), and clause (6) uses the strict monotonicity condition of the 
sort hierarchy parameter g (see Definition 12). □ 

Notice that Theorem 10(1) includes our version of the theorem stating that the 
level of a term and the level of its type differ in one application of the successor 
function (originally proved by de Bruijn for his calculi). 

Theorem 10(4) states that a term constructed by abstraction never belongs to the 
abstraction domain (i.e. the class of the terms typed by V in this case). Moreover 
Theorem 10(5) states that in X5 there is no term * for which, in standard notation: 

rh^:* T,x:A\-B:* 

T ^ {X^..A.B) ■ * ^ > 

We stress that Theorem 10(4) and Theorem 10(5) are expected properties of the 
A-abstraction, which hold in every typed A-calculus. 

The decidability results we present below arc a consequence of Theorem 10(2). 

Theorem 11 main decidability results. 

[1) (convertibility of typed terms is decidable) 

IfChg Ui : Ti and C C/2 : T2 then C \- Ui U2 or C }^ f/i U2. 

(2) (type inference is decidable) 

For all C, Ti there exists T2 such that C\-gTi: T2 or for all T2, CFg Ti : T2. 

Proof. Clause (1) is a standard consequence of Theorem 10(2) and Theo- 
rem 3(3). Clause (2) is proved by induction on the focalized term (C, Ti) using 
Theorem 7, Theorem 8(2), Theorem 9(2) and the previous clause. We assume 
that the inductive hypothesis holds for all proper subterms of (C, Ti) (intended 
as the term C.Ti). Moreover we consider {E.Xx:W,T) and {E.5x^V,T) as sub- 
terms of {E, Xx:W.T) and {E, Sx^V.T) respectively (because of Figure 7(abst) and 
Figure 7(abbr)). □ 

Notice that by Theorem 7(6) and Theorem 8(8), type checking is also decidable. 
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Fig. 11. Integer level equality rules 



3.4 Results on the Static Type Assignment 

The main results about stg(C, ) are listed below. 



Theorem 12 main properties of the static type. 



(i) (a typable term is typed by its static type) 

IfC^gU:Ti and stg(C, 17) = T2 then C^gU ■.T2. 



(2) (the iterated static type yields a term that can be seen as an environment) 
If stg{C,Ti) = T then there exists T2 such that st^(C,Ti) = T2 and env(T2). 

Proof. Clause (1) is proved by induction on the first premise and by cases on 
the second premise. While considering Figure 7(appl) and Figure 7(cast), we invoke 
Theorem 7, Theorem 8(2), Theorem 8(3) and Theorem 9(6). Clause (2) is easily 
proved by induction on its premise. □ 

Theorem 12(1) shows that the static type is indeed a type if we compute it on 
typed (i.e. legal) terms, and we can consider it as the canonical type of that term 
in the sense of [Kamareddine and Nederpclt 1996a]. 

Theorem 12(2) allows to map a term T to the environment 7(T) obtained iter- 
ating the static type assignment on T the least number of times. Once extended 
arbitrarily on not well typed terms, 7 yields an immersion of T into E. The above 
considerations clearly justify the choice of the function st'^{E, ) as the main ingre- 
dient for switching between terms and environments in the setting. Notice that 
7 and its properties have not being formally specified yet because the behavior of 
this function, especially with respect to reduction, is expected to be much clearer 
when the duality between terms and contexts will be achieved (see Appendix B). 

3.5 Examples 

If we consider the concrete sort hierarchy parameter gz defined by gz{h) = h+ 1, 
we have {hi,ki) =gz (/12, fe) iff /ii + = /i2 + ki and we know that IM x IM (i.e. the 
set of the nodes) equipped with this equality is isomorphic to the set of the integer 
numbers. To formalize this assertion, we define the integer level equality on nodes, 
we extend it on compound arities, and we state the following theorem. 

Definition 23 integer level quality. 

The integer level equality predicate Li =^ L2 is defined by the rules in Figure 11. 

Theorem 13 level equality for the concrete parameter gz. 

[1) (level equality for gz implies integer level equality) 
If Li =gz L2 then Li L2. 

(2) (integer level equality implies level equality for gz) 
If Li =z L2 then Li =gz L2. 

Proof. Both clauses are easily proved by induction on their premises. □ 

ACM Transactions on Computational Logic, Vol. V, No. N, Month 20YY. 



The Formal System X5 • 27 

The converse of Theorem 10(1) is not true in general in fact there are terms that 
have an arity but that are not typable. The next result shows an example. 

Theorem 14 an untypable term having an arity. 

Given the term T = (x2).Ax3:a;o.Sorto in the environment 
E = Axo:Sorto.Axi:Sorto.Aa;2:a;i.Sorto we have that: 

(i) (T has an arity in E) 

i;hg T> (0,0). 
{2) (T is not typable in E) 

For all U,E)^gT:U. 

Proof. Clause (1) is immediate. Clause (2) is a consequence of Theorem 7. □ 
The next theorem shows that there are normal terms that do not have an arity. 
Theorem 15 a normal term without an arity. 

Given the term T = (Sorto).Sorto in the environment E = Sorto, we have that: 

(1) (T is normal in E) 
nf{E,T). 

{2) (T does not have an arity in E) 
For all L, El^gT>L. 

Proof. Both clauses are immediate consequences of simple generation lemmas, 
which we prove by induction on the premise with a standard technique. □ 

4. THE EXTENSION OF X5 WITH THE EXCLUSION BINDER x 

In this section we present the calculus by which wc mean the calculus X5 
extended by adding the exclusion binder x (see Subsection 4.1). In this extension 
we show that every environment has a canonical well-formed form in the usual sense 
(see Subsection 4.2), which preserves the native type assignment. 

4.1 The Calculus xA^ 

In this subsection we extend X6 by adding the exclusion binder that here we call x 
(after xaocr: Greek for "gaping void"). The calculus wc obtain is called xA(J and 
is the one we formalized in [Guidi 2007a] . The idea behind the exclusion binder is 
that a variable x bound by x^ is excluded in the sense that it must not occur in 
the scope of x^- The intended use of this binder is to replace the other binders of 
an environment when they are not referenced. In this way we erase these binders 
from the environment without changing its length. This binder-erasing technique is 
particularly efficient when the bound variables are referenced by position (i.e using 
the so-called de Bruijn indexes [de Bruijn 1994b]) instead of by name. 

Definition 24 exclusion item. 

We introduce the syntactic item xx (exclusion) and we extend the syntax of terms 
and environments as follows: 

T^TlxV.T E^ElxV.E (12) 
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scheme 


redex reductum 


(^-contraction 


Xx.T -^^ T ifa;^FV(T) 


t)-swap 


{V).xx.T ^„ Xx.iV).T 



Fig. 12. Environment-free reduction steps for exclusion 
Ti ^Ta Ti^Ta x ^ FV(Ti) ^ Ti ^ Ta 



Fig. 13. Reduction rules for the exclusion binder 

U . stg(C.xa:,r) = U . Cxx hgT>L 



ChgXX.T-.xx.U stg(C,xx.T) =xx.U C\-gXX.T>L 



void 



Fig. 14. Typing rules for the exclusion binder 

The construction xa;.T (x-abstraction) is thought as weU formed if x ^ FV(T). 

We want the x binder to have the reductional behavior of the unreferenced ab- 
breviation, so wc add the ^-contraction and the v-swap of Figure 12. 

Formally we obtain this behavior by adding the rules of Figure 13. 

The general type assignment policy of the x-abstraction follows that of the ab- 
breviation but we do not add a rule for typing an excluded variable occurrence. In 
this way we capture our intuition of the exclusion because the excluded variable 
occurrences remain untyped. This policy applies uniformly to the assignment of 
the native type, of the static type and of the arity as we see in Figure 14. 

The domain-based preorder on environments is extended by defining the domain 
of an excluded variable occurrence x as the whole set T of terms because being 
never well formed, x can be a placeholder for any term. 

Definition 25 preorders on environments for exclusion. 
Under the assumption E2 dig Ei we set E2.xx Ei-xx and E2.Xx:W <g Ei-xx 
and E2.6x<—V -<g Ei-xx. We do the same for the preorders Qg and ^g. 

We also need the rules stating the compatibility of the x-abstraction with the 

context predicate (Definition 3), with the substitution (Definition 4, Definition 5) 
and with the weak reduction of environments (Definition 8). 

Every theorem we stated \5 holds in xA(5 as well, in addition we can prove: 

Theorem 16 main properties of exclusion. 

{1) (compatibility with environment- dependent parallel conversion) 

IfC.xx h Ti T2 then C h xx-Ti ^* XX-T2. 
{2) (candidate exclusion) 

If{C.xx,{V).T) e [L2]g then {C,{V).xx.T) G [iajg. 
(5) (generation lemma for native type assignment) 

If C \-g x^-Ui ■ T then there exists U2 such that C h X^-U^ T and 

C.xx^gUi:U2. 

Proof. Clause (1) is proved like Theorem 3(6). Clause (2) is proved like Theo- 
rem 6(6). Clause (3) is proved like Theorem 7(3). □ 
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4.2 Legal Environments in xA(5 

In some versions of the A-cube [Kamareddine et al. 1999] and in other type theories 
[Maietti and Sambin 2005] , the rule for typing a variable declared in an environment 
(the so-called "start" rule) requires that the environment is legal (or well formed), 
which means that every declaration or definition in the environment is well typed. 
Following [Barendregt 1993], in Subsection 2.4 we showed that the explicit notion 
of a legal environment is not essential for defining our type judgement. However 
we may be interested in this notion for several reasons. For instance in the set 
theoretic semantics of a A-calculus [Jacobs 1999], a term typed in an environment 
is denoted (approximately) by a function taking an argument for each environment 
entry, thus all the environment entries must be typable. 

In this section we use the exclusion binder x to define the "default legal version" 
of an arbitrary xA5-environment (that in particular can be a A(5-environment), and 
we show that the type of a term is preserved when we "legalize" the environment. 

Given an environment E, we introduce its default legal form wf ^ (E) (the abbre- 
viation of "well formed" taken from [Coq development team 2007]) that is E with 
the non-binding entries removed and with the untypable entries replaced by x- 

By using the x binder, the environment wig(E) has the length of the environ- 
ment E and the terms referring to E can refer to wfg{E) without being relocated. 
This feature is desired in the formal specification of xA(5 [Guidi 2007a], where the 
environment entries are referred by position, and not by name as in this paper. 

Notice that the function wf ^ is well defined and total because the type inference 
problem is decidable in xA(5 (see Theorem 11(2)). Also notice that wig depends on 
the sort hierarchy parameter g defined in Subsection 2.4. 

In [Guidi 2007a] we do not have the function for inferring the type of a term, 
therefore we prefer to define wfg by axiomatizing the proposition wfg{Ei) = E2. 

Definition 26 environment legalization. 

The default legalization of the environment E is the environment wig {E) defined 
by axiomatizing the predicate wfg{Ei) = E2 with the following clauses: 



(1) 


wfg(Sort;j) 


= SoTth- 


(2) 


Ifwig{Ei) 


^E2 


and EihgV :W then wig{Ei.dx^V) = E2.Sx^V . 


(3) 


IfwfgiEi) 


= E2 


and Ei^gW :V then wfgiEi.Xx:W) = E2.Xx:W. 


U) 


If wig (El) 


= E2 


then wig{Ei.xx) = E2-xx- 


(5) 


Ifwig{El) 


= E2 


and for each W , Ei\^gV : W , then wig{Ei.Sx^V) = E2-XX 


(6) 


Ifwig{El) 


= E2 


and for each V, Eii^gW: V, then wig{Ei.Xx:W) = E2.xx- 


(7) 


If^ig{Ei) 


= E2 


then wig{Ei.{V)) = E2. 


(8) 


IfwigiE,) 


= E2 


thenwig{Ei.{W)) = E2. 



We do not give these axioms as rules because Axiom (5) and Axiom (6) are 
expressed in the meta-language and can not be given in rule form. 

The most relevant properties of the function wfg are listed in the theorem below: 



Theorem 17 main properties of the legalization function. 

(1) (the legalization function is total) 

For all Ci, there exists C2 such that wfg(Ci) = C2. 
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{2) (preservation of the native type assignment) 

IfCihgT-.U and wfg(Ci) = C2 then C2 hg T : U. 

(5) (environments in native type assignments can be assumed legal) 

If Ci \-g T : U then there exists C2 such that wfg(Ci) — C2 and C2 l-g T : U. 

Proof. Clause (1) is proved by induction on Ci with the help of Theorem 11(2). 
Clause (2) is proved by induction on its first premise; here we need Theorem 8(2), 
Theorem 9(2) and Theorem 11(2). Clause (3) is implied the previous clauses. □ 

Theorem 17(2) and Theorem 17(3) imply each other but we noticed that the 
second one is slightly harder to prove directly because its conclusion is existential. 

5. CONCLUSIONS AND FUTURE WORK 

In this paper wc take the calculus A^o [van Benthem Jutting 1994c] with the re- 
stricted applicability condition used by Pure Type Systems [Barendregt 1993], to 
which we add non-recursive untyped abbreviations, an infinite number of typed 
sorts, explicit type annotations, and some reduction schemes involving these con- 
structions. Remarkably we also replace the call-by-value /3-contraction scheme with 
its call-by-value version. Then we show that the resulting typed A-calculus, that 
we term Xd, satisfies some important desirable properties such as the confluence of 
reduction, the correctness of types, the uniqueness of types up to conversion, the 
subject reduction of the type assignment, the strong normalization of the typed 
terms and, as a corollary, the decidability of type inference problem. 

X6 features the unification of terms and types, the immersion of environments 
into terms, a "compatible" typing policy in which the dynamic aspect of the type 
assignment is confined in the "conversion rule" and finally a predicative abstraction. 

The author conjectures that the expressive power of X5 is that of XP. 

We see an application of this calculus as a formal specification language for 
the type theories, like mTT [Maictti and Sambin 2005] or CTT [Nordstrom et al. 
1990; Martin-L6f 1984], that require to be expressed in a predicative foundation. 
In this sense X5 can be related both to PAL+ [Luo 2003] and to Martin-Lof's 
theory of expressions [Nordstrom et al. 1990], that pursue the same aim and use 
the type system of A— > (i.e. they use arities). Namely the author conjectures that 
Xd includes both these theories. In particular these calculi use fc-uples of terms and 
XS can provide for this construction as well (see Appendix B.2). 

The advantage of X5 on these calculi is that the structural rules of mTT and 
CTT can be justified by the rules of our calculus (see Appendix A). 

As an additional feature, the extension of X5 termed xA(5 (Subsection 4.1) comes 
with a full machine-checked specification of its properties (see Subsection 1.3). 

In this section we will discuss some design features of xAJ (Subsection 5.1) and 
we will summarize the open issues of the calculus (Subsection 5.2). 

5.1 The Block Structure of xA5 

xX5 was carefully designed by the author on the basis of the criteria discussed in 
Subsection 1.2. Another important design issue of this calculus is its block structure, 
where by a block we mean a subset of constructions and reduction rules tightly 
connected to each other that we see as a unit (see Figure 15). 
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block id 


main item 


main item denomination 


8 




unconditioned exclusion 


5 


Xx:W 


abstraction over a complete type W 


1 


5x^V 


unconditioned abbreviation of V 





Sort ft 


sort of level h 


-1 


X 


variable occurrence 



Fig. 15. Block hierarchy in xA5 



item 


domain 


applicator with -^^ 


reduction 




annotator with — >r 


XX 


{T|T} 


no 


no 


yes 


no 


\x:V 


{T \ E\-gT -.V} 


(V) 




no 


{W) 


Sx^V 


{T\T = V} 


no 


—►5 


yes 


no 



Fig. 16. Detailed structure of the blocks about binding items 



XA5 has one block for each non-recursive construction and one for each binder. 

The author assigned a numeric identifier to each block just to suggest a hierarchy 
in the block structure. The type W on which we abstract using Xx:W is complete 
because it represents a complete specification of the functional structure of its 
inhabitants (see the comments on Figure 7(abst)). The abbreviation introduced by 
5x^—V is unconditioned because it can always be unfolded by reduction. 

Generally speaking each binder has a domain by which we mean the class of the 
terms that can be substituted for the variable occurrences referring to that binder. 
Moreover a binder is here called conditioned if it has an applicator item associated 
to a specific reduction rule. The applicator item always swaps with a binder of a 
different block by means of a u reduction step (see Figure 2 and Figure 13) and 
the specific reduction rule always contracts the applicator-binder pair to an uncon- 
ditioned abbreviation. An unconditioned binder is always eliminable by reduction 
when it is not an environment entry, if this domain is specified up to a non-trivial 
equivalence relation, its inhabitants can be annotated with a preferred specification 
of this domain. The annotator item can always be removed by reduction. 

These considerations are summarized in Figure 16 where the A- abstraction is 
considered in an environment E. Notice that the abbreviation and the exclusion do 
not have an applicator with a specific reduction because they are unconditioned. 

5.2 Open Issues 

As already stressed along the paper, our presentation of XS leaves some open issues 
that we want to reconsider in this subsection. 

First of all, some technical aspects of the calculus need to be improved: this 
includes taking a final decision on the shape of Definition 18 and of Definition 9. 

In particular we plan to reformulate the reduction predicates without the explicit 
substitution (Definition 4, Definition 5, Definition 6). and we want to reformulate 
the arity assignment without the level equality (Definition 17) that is undecidable 
in general. We might also want to add the following type assignment rule: 



EhgT -.U Ehg {V).U : W 



appl2 (13) 



E {V).T : {V).U 
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with which we expect to type in Xd all terms typable in A^o (see Subsection 1.2). 

The items Xy.D, Sy<—F, (F) and {D) are not allowed at the moment (recall that 
D and F stand for environments), but when XS will be extended by considering 
them as well, a duality between terms and environments will arise (see Appendix B). 

Secondly there are some conjectures that need to be proved formally. In particular 
we arc interested in understanding if the problem of type inhabitation is decidable 
(this is an important property of A^, see [Barendregt 1993]). 

Thirdly we might want to extend adding more blocks in the sense of Sub- 
section 5.1. Namely there are five constructions that can be of interest: declared 
constants (block 4), meta- variables (block -2), parameters, (block 7), conditioned 
abbreviations (block 3) and abstractions over incomplete types (block 6). 

The first three constructions are taken from real implementations of typed A- 
calculus. In particular we see the declaration of a constant as the unconditioned 
version of the A-abstraction, which we would like to denote with XoXiV (where the 
o can mean opaque or can be an omicron chosen after ovojia: Greek for "name"). 

Parameters appear in many logical frameworks [Kamareddine et al. 2004; Luo 
2003]. Conditioned abbreviations are based on the binder 8cX<^V, on the applicator 
{V)c and on the reduction rule {V)c-5cX^V.T -—>-f3c 5x<^V.T. They provide for 
possibly unexpandable abbreviations and mainly the applicator {V)c does not carry 
any information into a /?c-redex except for its presence (since the term V appears 
in the binder). So we suspect that {V)c can be related to a connection of a Whole 
Adaptive System [Solmi 2005] and we call (V')c a connessionistic application item.* 

Abstractions over incomplete types (i.e. types that do not specify the functional 
structure of their inhabitants completely) arc meant to simulate the Il-abstractions 
of the A-cube [Barendregt 1993] and the author sees fitting the 11 binder into the 
architecture of A^ as a very challenging task. In particular it would be interesting 
to relate this extension of X6 to COG since this calculus has been fully specified 
in COQ [Barras 1996] as well as X6 itself, and the author sees the possibility of 
certifying rigorously the mappings that may exist between these systems. 

The novelty of XS extended with 11 would be that 11 could appear at the level of 
terms and inside environments rather than only at the level of types. 

In the perspective of relating this extension with a COG with universes, we would 
also need a mechanism that makes Sort?i a sub-sort of Sort^ when h < k. 

A. JUSTIFYING THE STRUCTURAL FRAGMENT OF MTT WITH A^ 

In the present appendix we show how the structural rules of Minimal Type Theory 
(mTT) [Maietti and Sambin 2005] can be justified trough the rules of XS and we 
proceed in three steps. In Appendix A.l we show that A^ can be used as a theory 
of expressions for mTT. In Appendix A. 2 we show that XS type assignment and 
conversion judgements can model mTT judgements. In Appendix A. 3 we show that 
A^ rules can model mTT structural rules. In order to achieve this objective, we 
propose to remove ?7-convcrsion and the so-called Cont judgement from mTT, and 
to perform some changes to the mTT rules called var and prop-into-set. 



^Describing the computational model of a Whole Adaptive System in terms of a typed A-calculus 
requires much more than conditioned abbreviations: in particular we feel that anti-binders, in the 
sense of [Hendriks and van Oostrom 2003], might play an important role for this task. 
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Our justification is based on a straight forward mapping of judgements, wliicli 
exploits uniformly dependent types on the side. The underlying idea is to map 
the inhabitation judgements to the type judgement h : (at different levels of the 
type hierarchy) and the equality judgements to the conversion judgement h <^*. 

When referring to mTT we will use the notation of [Maietti and Sambin 2005]. 

A.l XS can serve as a Theory of Expressions for mTT 

According to [Maietti and Sambin 2005] the theory of expressions underlying mTT 

is the one, originally due to Martin-L6f, underlying CTT [Nordstrom et al. 1990] 
without combinations and selections. Moreover typed abstractions (a la Church) 
are used in place of untyped ones. 

Therefore mTT-cxpressions are based on variables, primitive constants, defined 
constants, applications and typed abstractions. 

Moreover every meaningful mTT-expression has an arity, which is a type expres- 
sion of the instance of with one type constant 0. 

Equality between mTT-expressions is defined up to definitional equality: a rewrit- 
ing mechanism that incorporates a/^jy-conversion, and (5-conversion (equality be- 
tween the dcfinicndum and the definiens of an abbreviation). 

In our proposal we leave ry-conversion aside because we suspect that this conver- 
sion is not strictly necessary in mTT and is used just as syntactic sugar. In any 
case ry-conversion is available for A-abstractions as expected (see Theorem 3(8)). 

As a matter of fact \6 can handle the mentioned ingredients as follows. 

Variables, defined constants, applications and typed abstractions are 
term constructions of the calculus (sec Definition 1). In particular we regard all 
definitions as (5-entries of a global environment Ey in which we close every term. 

Primitive constants are regarded as references to A-entries (i.e. declarations) 
of the environment Ey. So Ey contains declarations and definitions. 

Types can bo substituted for aritios. Notice that arities exist in \5 as well (see 
Definition 18) and that typed terms have an arity (sec Theorem 10(1)). 

Finally definitional equality is handled through environment-dependent par- 
allel conversion (sec Definition 9) that incorporates Q;/3(5-conversion. 

A. 2 X6 Judgements can express mTT Judgements 

mTT features six main judgements that fall into two classes: declarations and 
equalities. Declarations state that an expression is a legal proposition, a legal data 
type, or a legal element of a data type. Equalities state that two legal propositions, 
data types, or elements of a data type are semantically equal. 

Parametric expressions are allowed and each main judgement includes an explicit 
environment where the local parameters are declared. 

Other parameters, shared among all judgements of a given rule, are declared in 
an implicit environment extracted from the premises of that rule. 

Summing up, a legal mTT-expression requires three environments: the explicit 
environment (provided by the judgement containing that expression), the implicit 
environment (extracted from the premises of the rule containing that judgement) 
and the global environment (for global declarations and abbreviations). 

A judgement stating that an explicit environment is legal, is also provided. 

We can map these judgements to A(5-judgements in the way we explain below. 
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Sort hierarchy. We need two sorts Prop and Set that we regard as aUases 
of Sorto and Sorti respectively (we can include these abbreviations in the global 
environment Cy). Wc also set the sort hierarchy parameter (sec Subsection 2.4) to 
the function g2z such that g2z{h) = h + 2 This is the simplest choice ensuring that 
the positions of Set and Prop in the sort hierarchy graph (see Subsection 2.6) are 
disconnected. In particular we observe that if gz{h) = h+1 (as in Subsection 3.5) wc 
derive directly from Figure 7(sort): E \-gz Set : Prop, which is against the intuition. 

Environments. The explicit environment of an mTT-judgement has the form: 
T = xi € Ai Set, . . . ,Xn £ An Set where Xi IS Si variable and Ai is an expression. 

We can map each declaration of F in a A-entry, so F itself becomes the environ- 
ment Cx = Xxi'.Ai . . . Xxn-An-Set of A^. 

The implicit environment of an mTT-judgement does not need an explicit map- 
ping since we can exploit the implicit environment of the corresponding judgement 
of XS (at least as long as we are dealing just with the structural rules of mTT). 

Declarations: A Prop [F], A Set [T], a G A Set [F], F Cont. 

A declaration judgement is mapped to a type assignment judgement (see Defi- 
nition 13). Namely we map A Prop [F] to Cy.Cx ^g2z A : Prop, we map A Set [F] 
to Cy.Cx I~g2z A : Set and we map a G A Set [F] to Cy.Cx I~g2z a : ^ in the implicit 
environment Cy.Cx ^g2z ^ '■ Set. Here Cy.Cx refers to the concatenation of Cy and 
Cx- Notice that the type assignment is invariant for conversion (modelling defini- 
tional equality) as stated by Figure 7(conv) and Theorem 9(6). 

Coming to the legal explicit environment judgement F Cont, the experience of 
the author with XS shows that such a judgement is useless (as it does not guar- 
antee additional meta-theoretical properties) and heavy (as it introduces a mutual 
dependence between itself and A Set [F] at the meta-theory level). The point is 
that an unreferenced parameter does not need a legal declaration unless it is the 
formal argument of a function. So we propose not to map F Cont and to change 
the related rules (see Appendix A. 3). In any case legal environments are supported 
in the calculus xA^ (Subsection 4.2) if they are needed for some reason. 

Equalities: Ai = A-i Prop [F], Ax = A2 Set [F], ai = a2 e A Set [F]. 

An equality judgement is mapped to an environment-dependent conversion judge- 
ment (see Definition 9). Namely, we map Ai = A2 S [F] to Cy.Cx l~ ^1 ^2 in 
the implicit environment Cy.Cx ^g2z ^1 : S and Cy.Cx ^g2z ^2 : S where S is either 
Prop or Set, and we map ai = a2 & A Set [F] to Cy.Cx l~ ai 02 in the implicit 
environment Cy.Cx ^g2z «! '■ -^i Cy.Cx ^g2z 12 ■ A and Cy.Cx ^g2z ^ '■ Set. 

Notice that the conversion judgement is invariant for conversion itself (modelling 
definitional equality) because the conversion is an equivalence relation. 

A.3 X5 Rules can express mTT Structural Rules 

Our proposal for the structural rules of mTT is shown in Figure 17. 

the prop-into-set rule can not be modelled, as it is, by XS because XS does 
not feature subtyping. Therefore our proposal is to make the coercion from Prop to 
Set explicit. Namely we declare a primitive constant pr of type Ax:Prop.Sct in the 
global environment Cy and we set Figure 17(ps) modelled by Figure 7(appl). This 
solution is well known in the literature (see [Coquand and Huet 1988; van Benthem 
Jutting 1994b; de Bruijn 1994c]). 
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A Prop [r] A Set [r] 

pr{A) Set [r] xeA Set [r,xeA Set, A] 

g e Ai Set [r] Ai = A2 Set [F] 



A Set [r] Ai = A2 Set [F] Ai = A Set [F] A = A2 Set [F] 

A = A Set [F] A2 = Ai Set [F] ' Ai = A2 Set [F] * 

A Prop [F] Ai = A2 Prop [F] Ai = A Prop [F] A = A2 Prop [F] 

A = A Prop [F] ' A2 = Ai Prop [F] ° Ai = A2 Prop [F] * 

g g A Set [F] gi = g2 S A Set [F] gi = g 6 A Set [F] g = g2 £ A Set [F] 

g = g e A Set [F] " a2 = ai e A Set [F] " gi = g2 6 A Set [F] 

A Set [F] B Set [F, 3: £ A Set] A Set [F] Bi = B2 Set [F, x £ A Set] 

{x : A)B {x : A)Set [F] ' (x : A)Bi = {x : A)B2 {x : A)Set [F] 

A Set [F] B Prop [F, x g A Set] . A Set [V] Bi = B2 Prop jF, a: g A Set] . 
(x : A)B {x : A)Prop JF] ' {x : A)Bi = {x : A)B2 {x : A)Prop JF] ' 

A Set [F] fc g B Set [F, g; g A Set] A Set [F] bi = b2 e B Set [F, g; g A Set] 

{x : A)b £ {x : A)B (x : A)Set [F] ' {x : A)bi = {x : A)b2 g {x : A)B {x : A)Set [F] ' 
g g A Set IF] B {x : A) Set [F] g g A Set [F] Bi = B2 (x : A)Set [F] 

B(a) Set [F] " B^(a) = B2{a) Set JF] " 

g g A Set IF] B (x : A) Prop [F] g g A Set [F] Bi = B2 {x : A)Prop [F] 

S(g) Prop [F] " Bi{a) = B2{a) Prop [F] " 

g g A Set [F] b g (x : A)B {x : A)Set [F] 
6(a) g {x : A)B(a) Set [F] 
g g A Set [F] b^_ = b2 & {x : A)B {x : A)Set [F] 
61(a) = 62(g) g {x : A)B(a) Set [F] 



Fig. 17. Our proposal for the structural rules of mTT 

The var rule. Our proposal for this rule is Figure 17(var) modelled by Fig- 
ure 7(decl). The implicit environment is respected because of Theorem 8(1). 

The seteq rule. This rule is Figure 17(seteq) modelled by Figure 7(conv) whose 
first premise is taken from the implicit environment. 

The equivalence rules of the equality judgements are justified by the fact that 
the environment-dependent conversion is an equivalence relation. 

The complete list is in Figure 17 (labels: r, s, t). 

The derivable rules. Notice that [Nordstrom et al. 1990] suggests some addi- 
tional structural rules (like a second seteq rule and some substitution rules) that are 
not included in mTT because they are derivable. In the \5 perspective we derive 
these rules from Theorem 3(4), Theorem 3(5), Theorem 8(5) and Theorem 8(7). 

The rules on classes. If we regard Prop and Set as primitive constants rather 
than judgement keywords, we can build expressions like [xi : ei) . . . {xn '■ e„)Set or 
{xi : ei) . . . {xn ■ e„)Prop (called types in mTT or categories in CTT [Martin-L6f 
1984]). With these "classes" we can form the following judgements: 

B {x : A) Set [F] = B2 {x : A) Set [F] 

B [x : A)Prop [F] Bi ^ B2 (x : A)Prop [F] (14) 

heB {x: A)Set [F] 61 = 62 G B (x : A)Set [F] 

that we explain with the rules modelled by Figure 7(abst) and Theorem 3(6). These 
rules are shown in Figure 17 with the label: i. The elimination rules, modelled by 
Figure 7(appl) and Theorem 3(4), are shown in Figure 17 with the label: e. 
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B. TOWARDS A DUALITY BETWEEN TERMS AND ENVIRONMENTS 

The present appendix contains some hints on how the author plans to complete 
Xd by adding the items Xy.D, Sy<—F, (F) and (D) both in the terms and in the 
environments. In principle the need for these items was evident from the very 
start but they were not included in [Guidi 2007a] because of the technical problems 
they seemed to give. In particular the author did not see the importance of the 
iterated static type assignment as a way to map T into E (Subsection 2.5) until the 
properties of X6 were made clear (especially Theorem 12(2), Theorem 12(1) and 
Theorem 10(1)). We would like to stress that the contents of this appendix are just 
a proposal for future research on X5 and have not been certified yet. 

In Appendix B.l we introduce these new items, In Appendix B.2 we propose the 
new term construction {F}.T as an application, in Appendix B.3 we propose to 
merge T and E in a single data typo to avoid the replication of dual definitions and 
theorems in the perspective of certifying the properties of complete XS. 

B.l Complete X6: Dualizing Terms and Environments 

According to Definition 1 the argument of the abstractors, abbreviators, applicators 
and type annotators is a term. Nevertheless an environment can be allowed as well. 

Definition 27 complete syntax of terms and environments. 

The complete versions of J and E are defined by extending Definition 1 as follows: 



where VJ is a set of names for variables denoting environments. 

We call a recursive construction positive when its argum,ents belong to the sam,e 
type and negative otherwise. We call this attribute the polarity of the construction. 

Notice that the calculi of the A/x family use two different sets of variables as well. 
Once defined in this way, T and E are isomorphic through the polarity preserving 
transformations £ : T — > E and T : E ^ T defined below. 

Definition 28 the transformations £ and T. 

The transformations £ :J ^ E and T :E —> J work as follows: 

(1) 5 [Sort/i] = Sort;i and T[Sort;i] ~ Sort/j,- 

(2) £[x] — y and T[y] = x (here we assume that V and W are isomorphic); 



(5) £[Xx:W.T] = Xy:£[W].£[T] and T[Xy:D.E] = Xx:T[D].T[E]; 

{4) £[Xy:D.T] = Xx:T[D].£[T] and T[Xx:W.E] = Xy:£[W].T[E]; 

(5) £[Sx^V.T] = Sy^£[V].£[T] and T[Sy^F.E] = Sx^T[F].T[E]; 

{6) £[dy^F.T] = Sx^T[F].£[T] and T[Sx^V.E] = Sy^£[V].T[E]; 

(7) £[{V).T] = i£[V]).£[T] and T[iF).E] = iT[F]).T[E]; 

{8) £[{F).T] = {T[F]).£[T] andT[{V).E] = {£[V]).T[E]; 

{9) £[{W).T] = {£[W]).£[T] andT[{D).E] = {T[D]).T[E]; 
{10) £[{D).T] = {T[D]).£[T] andT[{W).E] = {£[W]).T[E]. 



T = T I AW:E.T | ^W^E.T | (E).T | (E).T 



(15) 



E = E I W I AW:E.E | 5W^E.E | (E).E | (E).E 



(16) 
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Definition 27 opens some issues: we discuss the most relevant below. 

Focalized terms. When a term reference x points to an abstractor Xx:W in 
an environment E it may be the case that the rightmost item of E is not a sort. 
In that event we must consider its iterated static type (see Theorem 12(2)). More 
precisely if E is C.y and if y points to Xy.D or to Sy-i—F, we recursively resolve 
X in the environments CD or C.F respectively (this is much like considering the 
iterated static type of E except for the rightmost sort item that is irrelevant when 
searching for binders). This solution may look strange at a first glance but consider 
E = Xy.D.y: this is the empty environment whose "hole" is y in the sense of 
[Curien and Herbelin 2000] . Normally the references to the empty environment are 
not legal but in our case the "hole" is typed explicitly so we can foresee its contents 
by inspecting its type. This means that for D = A.x:W.Sortg(„') the focalized term 
{Xy.D.y, x) is legal and the term reference x points to Xx:W. Furthermore that 
reference continues to point to the same binder when E is instantiated and reduced: 

(1) Legal instantiation with = Aa;:W.Sort„: {{F).Xy.D.y,x). 

(2) /3-contr action: (Sy^F.y.x). 

(3) (5-expansion: {5y^F.F ,x). 

(4) C-contraction: {F,x). 

As we see, everything works fine because the item Xx:W must appear in F as 
well as in D in order for the instantiation to be legal (i.e. well typed). 

If the term reference x points to an abbreviator Sx'^V , we do the same thing. 

Pushing. When moving an abstractor Xx:W from a term to an environment, 
as we might need to do when the term and the environment themselves are the 
components of a focalized term, we must make sure that the references to Xx:W 
are preserved. So, when the environment has the form C.y where y points to Xy.D 
or to Sy^F, we must move Xx:W recursively into D or F respectively. In the first 
case this amounts to updating the explicit type D of the environment "hole" in a 
way that makes it possible to fill that "hole" through a legal instantiation. 

As before, when we move an abbreviator Sx<-~V, we do the same thing. 

Reduction. The /3-redexes are {V).Xx:W (from Subsection 2.3) and symmet- 
rically {F).Xy.D. The abbreviations 5x^V.E do not ^-reduce (from [Guidi 2006]) 
and symmetrically the abbreviations Sy-i—F.T do not C-reduce either. 

B.2 Environments as Aggregates 

Formally the fc-uple (Vfe_i, . . . , Vq) at position {h, 0) in the type hierarchy is denoted 
by the environment E = 6xk-i<—Vk-i ■ ■ . (5a;o<— Vo-Sort/j. 

More generally the binders Xx:W and 5x<—V of an environment E (as well as 
the binders Xy.D and Sy^F of a term T) can be seen as the fields of an aggregate 
structure. These fields can be definitions (denoted by the Sx-i—V items) or declara- 
tions (denoted by the Xx:W items) and can be dependent. In order to be effective, 
aggregates need a projection mechanism that allows to reed their fields. To this 
aim we propose the item {F} that we call projector and the term constructions 
{F}.T that we call projection. Considering the previous fc-uple E, the basic idea is 
that {E}.Xi must reduce to V^, so we set the following sequential reduction rule. 

If F h Ti ^ Ta and if T2 does not refer to F then {F}.Ti ^„ T2 (17) 
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Notice that {F}.T might be related to the with instruction of the PASCAL pro- 
gramming language [Jensen and Wirth 1981] and might look like: with F do T. 

Following the "environments as aggregates" interpretation, we might expect to 
type E with Ci = \xk-i-Wk-i ■ ■ ■ Xxo:Wo.Sortg(^h-) where each Wi is the type of 
Vi. Nevertheless the type of as a term is C2 = fefc_i<— Vfc_i . . . (5a;o<— Vo.Sortg(/j) 
according to Definition 13 but notice that C2 dig Ci (this is the domain-based 
preorder of Subsection 2.7). This consideration shows that it could make sense to 
investigate the extension of with a subtyping relation based on dg- 

B.3 Unified XS: Introducing Polarized Ternns 

In this subsection we propose the notion of a polarized term: an expression capable 
of representing both a term and an environment (in the sense of Definition 27) in 
a way that turns the transformations £ and T into the identity functions. 

The basic idea consists in decorating the recursive term constructions with the 
information on their polarity represented as a boolean value. 

Let us denote the data type of the boolean values with 2 = { — ,+} and let us 
assume that + (positive polarity) represents T, then a polarized term is as follows. 

Definition 29 syntax of polarized terms. 
The set of polarized terms is defined as follows: 

P = SortN I V I 2AV:P.P | 2(5V^P.P | 2(P).P | 2(P).P (18) 

Definition 29 opens the issue of deciding whether a. Q G P can be mapped back 

to a V € T or to an G E. Clearly the fact that the transformations £ and T 
are mapped to the identity functions on P says that this information, which we call 
the absolute polarity of Q, is not recoverable. What we can recover is the relative 
polarity of Q with respect to a superterm P of Q This is to say that we can know 
if P and Q represent two elements of the same type or not. 

Definition 30 relative polarity assignment. 

The partial function polarity [P, Q], that returns + if the terms P and Q have the 

same absolute polarity, is defined by the clauses shown below, where denotes the 
boolean coimplication (i.e. the negated exclusive disjunction). 

{1) (refl) polarity[P, P] = +; 

{2) (trans) z/ polarity [Pi, P] = bi anrf polarity [P, P2] =62 then 
polarity [Pi, P2] = bi f->- 62; 

(5) (fst) polarity[&A^:O.P, P] = +; polarity[6Az:Q.P, P] = +; 
polarity [6(Q).P,P] = +,- polarity [6(Q). P, P] = +.• 

{4) (snd) polarity[6Az:(5.P, Q] = b; polarity[6(5z^(5.P, Q] = b; 
polarity [6(0). P,Q] = b; polarity [6(Q). P, Q] = b. 

We conjecture that the knowledge of relative polarity is enough to treat the 
version of XS based on polarized terms. We call this calculus unified XS or IXS. 

As an example let us consider the restrictions on reduction mentioned in Ap- 
pendix B.l. The unified /3-redex takes the form b{Qi).bXz:Q2, while ^-reduction is 
allowed on the items +Sz-i—Q and not allowed on the items —Sz-i—Q. 
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C. A NOTE ON THE CURRENT STATE OF THE FORMAL SPECIFICATION 

In this appendix we discuss the current state of the definitions that formaUy specify 
XA5 in the Calculus of Inductive Constructions [Guidi 2007a] in terms of modifica- 
tions with respect to their initial state [Guidi 2006]. 

Firstly we set up a mechanism to avoid the need of exchanging the environment 
binders in the proof of Theorem 6(8). In particular we defined an extension of the 
lift function and an extension of the drop function [Guidi 2006] that apply a finite 
number of relocations to a term. The "relocation parameters" (i.e. the arguments 
h and i of the lift function) are contained in a list of pairs {h,i). Here s will 
always denote a variable for such a list. 

These definitions are given in Definition 31 and Definition 32 below. 

Definition 31 the multiple relocation function 

f ToT = T 

\ T((fc,i);s)2^ = il^'^T 

Definition 32 axioms for multiple dropping. 

[1) (non recursive case) 

ioC = C. 
{2) (recursive case) 

If ii^Ci = C2 and i-sC2 = C3 then i((h,i);s)Ci = Cs- 

With these functions we were able to rephrase Definition 21 as follows: 
Definition 33 the strong reducibility predicate. 

({C, T) G [{h, k)\g iff C r > (/i, k) and sn(C, T) 

<(C,T) 6 [Li ^ L2]g iff C hg T > Li ^ L2 and for each D, W , s, (20) 
[ (D, W) G [ills and i^D = C imply (D, iW).1sT) G [Lalg 

The other definitions not included in [Guidi 2006] were formalized substantially 
as they appear in the previous sections, and we omit them here. 

Remarkably we made some corrections to the preorders on environments (Defi- 
nition 19, Definition 20, Definition 22) in order to prove Theorem 10(3). 

Notice that relocations (i.e. applications of the lift function) were added where 
necessary both in the definitions and the theorems because in [Guidi 2007a], vari- 
ables are referenced by position and not by name as in the present paper. 

Secondly we took a final decision about the notation of the cast item, for which 
we now use {V) instead of {V} (see Definition 1, Definition 27 and Definition 29). 
We also changed the native type assignment rule Figure 7(cast) because the former 
version applies an r-reduction at the level of types in contrast with the general 
policy stated in Subsection 1.2. Theorem 7(6) is changed accordingly. 

Thirdly we took a final decision on the domain of the exclusion binder and we 
rearranged the overall architecture of the calculus, also inserting the block for de- 
clared constants (see Subsection 5.1 and Subsection 5.2). 

At the same moment we took a final decision on the name of the extension of XS 
with the unconditioned exclusion binder, which is now xA(5 instead of A^x. 

Finally we used — >^ here in place of — >e for the reduction step that removes 
explicit type casts to avoid a clash with other reduction steps named e appearing 
in the literature (see for instance the calculus Ae in [S0rensen and Urzyczyn 2006]). 
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Currently (May 2008), the Basic module of the certified specification [Guidi 
2007a] consists of 525 kilobytes of COQ vernacular describing 85 definitions and 683 
theorems. The Ground module, that extends the standard library of COQ, consists 
of 34 kilobytes of vernacular describing 28 definitions and 50 theorems. From the 
standard library of COQ we borrow 18 definitions and 69 theorems. 

D. POINTERS TO THE CERTIFIED PROOFS 

As we mentioned in Subsection 1.3 the certified proofs of all results stated in this 
paper arc available as resoiirc;es of the Hyportoxtual Electronic Library of Mathe- 
matics (helm) and their representation in natural language can be obtained through 
the HELM rendering software. Each proof is identified by a path that we list below. 
We provide two methods to obtain the representation of a proof: 

— The dynamic representation is generated on the fly by the helm rendering 
software, which is very slow when big proofs are rendered (such as Theorem 3(1)). 
Visit the helm on-line library at http://helm.cs.unibo.it/browse/, follow 
the path matita/lambda-delta/plain/Basic/ and then the path of the proof. 
You can not reach a proof by concatenating these paths in a single http address. 

— The static representation has been already generated so it displays faster. 
Visit the XS web site at http://helm.cs.unibo.it/lambda-delta/static/, 
follow the path matita/lambda-delta/plain/Basic/ and then the path of the 
proof, that in this case has . html appended at the end. You can also reach the 
proof by concatenating these three paths in a single http address. 

The proofs are displayed correctly only selecting a font with Unicode support. 
The following paths are parts of Uniform Resource Identifiers (URi) [Network 
Working Group 1998] so we can not guarantee their persistence. 



(1) Path for Theorem 1(1 

(2) Path for Theorem 1(2 

(3) Path for Theorem 1(3 

(4) Path for Theorem 1(4 

(5) Path for Theorem 2(1 

(6) Path for Theorem 2(2 

(7) Path for Theorem 3(1 

(8) Path for Theorem 3(2 

(9) Path for Theorem 3(3 

(10) Path for Theorem 3(4) 

(11) Path for Theorem 3(5) 

(12) Path for Theorem 3(6) 

(13) Path for Theorem 3(7) 

(14) Path for Theorem 3(8) 



arity/props/node_inh. con 
arity/props/arityjnono . con 
arity/substO/arityjf substO . con 
csuba/ arity/ csuba^rity . con 
arity/pr3/ arity_sred_wcprO_prO . con 
eirity/pr3/ arity_sred_pr3 . con 
prO/props/prO_substO . con 
prO/prO/prO_conf luence . con 
pr3/pr3/pr3_conf luence . con 

pc3/props/pc3_thin_dx . con 

pc3/props/pc3Jiead_l . con 

pc3/props/pc3Jiead_2 . con 

pc3/f wd/pc3_gen_abst . con 



pc3/props/pc3_eta. con 

(15) Path for Theorem 4: nf 2/arity/arityjif 2_inv_all . con 

(16) Path for Theorem 5(1): csubc/csuba/csubc_csuba. com 

(17) Path for Theorem 5(2): csubc/arity/csubc^arity_conf .com 
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